Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuredOnedrive.ClientSetup.exe

Overview

General Information

Sample name:SecuredOnedrive.ClientSetup.exe
Analysis ID:1582217
MD5:58fe579f71dbeda2fd50c1b046b5f3ef
SHA1:84eeee9907009151ad5efc1074fb5db27bd2977a
SHA256:40cafa4d9e7220f582af1ecc2a4b0ea1ab4b3b76fd83a398a0ebb50eeb5fce7d
Infos:

Detection

ScreenConnect Tool
Score:66
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w11x64_office
  • SecuredOnedrive.ClientSetup.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe" MD5: 58FE579F71DBEDA2FD50C1B046B5F3EF)
    • msiexec.exe (PID: 5824 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi" MD5: FE653E9A818C22D7E744320F65A91C09)
  • msiexec.exe (PID: 6508 cmdline: C:\Windows\system32\msiexec.exe /V MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
    • msiexec.exe (PID: 6828 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 77340DACFC52F1F82F48657C600111B3 C MD5: FE653E9A818C22D7E744320F65A91C09)
      • rundll32.exe (PID: 6908 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI159B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5183031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: A79FE1974156C5C9ED4331BF78D2DBB1)
    • msiexec.exe (PID: 6812 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FC01D66D9C659A0C1A52C9225EB89673 MD5: FE653E9A818C22D7E744320F65A91C09)
    • msiexec.exe (PID: 2164 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3B616DDBEE16C1106C896B51026D25DE E Global\MSI0000 MD5: FE653E9A818C22D7E744320F65A91C09)
  • ScreenConnect.ClientService.exe (PID: 6660 cmdline: "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=69a721fd-b674-4daa-86be-2f9c571953f8&k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 3344 cmdline: "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "2cfdcfba-a2ce-49b7-8617-d9cdd62ec687" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • svchost.exe (PID: 4336 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc MD5: 8EC922C7A58A8701AB481B7BE9644536)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuredOnedrive.ClientSetup.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Temp\~DF037C1DC12B91FF6C.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\SystemTemp\~DFDE52A21268E62328.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF9375DC9A1BC3D00B.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Temp\~DF953711672F9C7658.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.11746741885.0000000005440000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  0000000A.00000002.12973476702.0000000002601000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      Process Memory Space: SecuredOnedrive.ClientSetup.exe PID: 7700JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 2 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.2.SecuredOnedrive.ClientSetup.exe.5440000.8.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          10.2.ScreenConnect.WindowsClient.exe.267cee0.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            10.0.ScreenConnect.WindowsClient.exe.240000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              0.2.SecuredOnedrive.ClientSetup.exe.5440000.8.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 3 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (f40cdcc9172e57c6) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 6508, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-D15A-B6D70EA663B0}\(Default)
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 712, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc, ProcessId: 4336, ProcessName: svchost.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: SecuredOnedrive.ClientSetup.exeVirustotal: Detection: 26%Perma Link
                                  Source: SecuredOnedrive.ClientSetup.exeReversingLabs: Detection: 23%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_039C0E48 CryptProtectData,9_2_039C0E48
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_039C1631 CryptProtectData,9_2_039C1631
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.12986787542.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.6.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973007694.00000000023F0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973144581.0000000002452000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973476702.0000000002601000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.4.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000009.00000000.11774927962.000000000073D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.6.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000006.00000003.11748900423.0000000005180000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.6.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.00000000005E6000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.6.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: SecuredOnedrive.ClientSetup.exe, 4f19c1.msi.4.dr, MSI1E07.tmp.4.dr, MSI200B.tmp.4.dr, MSI21F1.tmp.4.dr, 4f19c3.msi.4.dr, ScreenConnect.ClientSetup.msi.0.dr, 4f19c2.rbs.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.6.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.12986787542.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.4.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: SecuredOnedrive.ClientSetup.exe, 4f19c1.msi.4.dr, 4f19c3.msi.4.dr, ScreenConnect.ClientSetup.msi.0.dr, MSI159B.tmp.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12972761493.00000000023B2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12972761493.00000000023B2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000009.00000002.12986787542.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.4.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeFile opened: c:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: instance-cb2j07-relay.screenconnect.com
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.0000000001604000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.0000000001778000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.00000000014B9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.00000000017A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://instance-cb2j07-relay.screenconnect.com:443/
                                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-cb2j07-relay.screenconnect.com:443/0#
                                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-cb2j07-relay.screenconnect.com:443/4
                                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-cb2j07-relay.screenconnect.com:443/H
                                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-cb2j07-relay.screenconnect.com:443/h
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.00000000013F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: rundll32.exe, 00000006.00000003.11746613640.0000000005183000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr, Microsoft.Deployment.Compression.Cab.dll.6.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000006.00000003.11746613640.0000000005183000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr, Microsoft.Deployment.Compression.Cab.dll.6.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000006.00000003.11746613640.0000000005183000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr, Microsoft.Deployment.Compression.Cab.dll.6.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.ClientService.exe.4.dr, ScreenConnect.WindowsClient.exe.4.dr, ScreenConnect.WindowsFileManager.exe.4.dr, ScreenConnect.WindowsBackstageShell.exe.4.dr, ScreenConnect.WindowsCredentialProvider.dll.4.dr, ScreenConnect.WindowsAuthenticationPackage.dll.4.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.4.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: ScreenConnect.Core.dll.6.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65339 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65335 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65343 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65333 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65326 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65329
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65324 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65329 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 65325 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65324
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65335
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65343
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65333
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65339
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65325
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65326

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: SecuredOnedrive.ClientSetup.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_04C201F0 CreateProcessAsUserW,9_2_04C201F0
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f19c1.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DF395819C9C25174D8.TMPJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{7194EC79-79EF-CD38-454E-84482F62C93C}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DFA7FBC49C0BC51618.TMPJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1E07.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI200B.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI21F1.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f19c3.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f19c3.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{7194EC79-79EF-CD38-454E-84482F62C93C}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{7194EC79-79EF-CD38-454E-84482F62C93C}\DefaultIconJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DFDE52A21268E62328.TMPJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DF0DB588100E6C382A.TMPJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{7194EC79-79EF-CD38-454E-84482F62C93C}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\paumg2ll.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\paumg2ll.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\yrjwb4lb.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\yrjwb4lb.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\dycq24ab.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\dycq24ab.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\53uhxhoa.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\53uhxhoa.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\2y1yzdta.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\2y1yzdta.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\uwgc4rdl.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\uwgc4rdl.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\2bpnbhce.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\2bpnbhce.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\yo0gx5ud.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\yo0gx5ud.newcfgJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI200B.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_00B8D5689_2_00B8D568
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED05F810_2_00007FFCD6ED05F8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED620510_2_00007FFCD6ED6205
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED0DE810_2_00007FFCD6ED0DE8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD71E03EB10_2_00007FFCD71E03EB
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD71E5C9110_2_00007FFCD71E5C91
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11746741885.00000000055FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11746741885.00000000055FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11746741885.00000000055FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11746741885.00000000055FC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11749234809.0000000006639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11749234809.0000000006639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11749234809.0000000006639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11744018193.0000000005210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11744018193.0000000005210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11744018193.0000000005210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11743499843.0000000005150000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11743873076.00000000051E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11731035615.0000000002960000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenamezlib.dll2 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenamewixca.dll\ vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.6d63d4.2.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.5210000.4.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.5150000.1.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.5210000.4.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.5210000.4.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.5210000.4.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: classification engineClassification label: mal66.evad.winEXE@16/58@3/1
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: SecuredOnedrive.ClientSetup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI159B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5183031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: SecuredOnedrive.ClientSetup.exeVirustotal: Detection: 26%
                                  Source: SecuredOnedrive.ClientSetup.exeReversingLabs: Detection: 23%
                                  Source: SecuredOnedrive.ClientSetup.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: SecuredOnedrive.ClientSetup.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile read: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe "C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe"
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 77340DACFC52F1F82F48657C600111B3 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI159B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5183031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FC01D66D9C659A0C1A52C9225EB89673
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B616DDBEE16C1106C896B51026D25DE E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=69a721fd-b674-4daa-86be-2f9c571953f8&k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM"
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "2cfdcfba-a2ce-49b7-8617-d9cdd62ec687" "User"
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 77340DACFC52F1F82F48657C600111B3 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FC01D66D9C659A0C1A52C9225EB89673Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3B616DDBEE16C1106C896B51026D25DE E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI159B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5183031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "2cfdcfba-a2ce-49b7-8617-d9cdd62ec687" "User"Jump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: cfgmgr32.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: virtdisk.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: smartscreenps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: shdocvw.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appidapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: appidapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_1_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: servicingcommon.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: virtdisk.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_1_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: virtdisk.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fcon.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: certificate valid
                                  Source: SecuredOnedrive.ClientSetup.exeStatic file information: File size 5621992 > 1048576
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.12986787542.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.6.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973007694.00000000023F0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973144581.0000000002452000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973476702.0000000002601000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.4.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000009.00000000.11774927962.000000000073D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.6.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000006.00000003.11748900423.0000000005180000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.6.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.00000000005E6000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.6.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: SecuredOnedrive.ClientSetup.exe, 4f19c1.msi.4.dr, MSI1E07.tmp.4.dr, MSI200B.tmp.4.dr, MSI21F1.tmp.4.dr, 4f19c3.msi.4.dr, ScreenConnect.ClientSetup.msi.0.dr, 4f19c2.rbs.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.6.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.12986787542.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.4.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: SecuredOnedrive.ClientSetup.exe, 4f19c1.msi.4.dr, 4f19c3.msi.4.dr, ScreenConnect.ClientSetup.msi.0.dr, MSI159B.tmp.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12972761493.00000000023B2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12972761493.00000000023B2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000009.00000002.12986787542.0000000002397000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.12982263910.0000000012610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.4.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.c078ec.4.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.2960000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: ScreenConnect.Client.dll.4.drStatic PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x56256d
                                  Source: MSI159B.tmp.2.drStatic PE information: real checksum: 0x2f213 should be: 0x1125d0
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeCode function: 0_2_0293AE81 push esp; ret 0_2_0293AE8D
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeCode function: 0_2_029370B0 push eax; mov dword ptr [esp], ecx0_2_029370C1
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeCode function: 0_2_02937FE7 push esp; ret 0_2_02937FF1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_00B86287 push ebx; ret 9_2_00B8629A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_039CDCBF push eax; retf 9_2_039CDD29
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6EE0463 push ebx; retf 10_2_00007FFCD6EE098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6EE1F57 push ebx; ret 10_2_00007FFCD6EE1F5A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED3CFA push eax; ret 10_2_00007FFCD6ED3CFB
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED7494 push 8B4C5F7Eh; ret 10_2_00007FFCD6ED7499
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED1357 push ebx; iretd 10_2_00007FFCD6ED135A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED3BB2 push eax; iretd 10_2_00007FFCD6ED3BB3
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD6ED2B92 pushad ; retf 10_2_00007FFCD6ED2B93
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFCD71E2F5A pushfd ; iretd 10_2_00007FFCD71E2F5B

                                  Persistence and Installation Behavior

                                  barindex
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (f40cdcc9172e57c6)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-d15a-b6d70ea663b0}\inprocserver32
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI21F1.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI200B.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI21F1.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI200B.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.4.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f40cdcc9172e57c6)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.11744018193.0000000005210000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000006.00000003.11746152716.00000000052FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973007694.00000000023F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973144581.0000000002452000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12973476702.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.12987875101.000000001B432000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: SecuredOnedrive.ClientSetup.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.6.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.4.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.Windows.dll.4.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults dataJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 4B00000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 62B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 5A10000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 72B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 82B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 8540000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 9540000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMemory allocated: B80000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMemory allocated: 1390000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeMemory allocated: 990000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeMemory allocated: 1A600000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeWindow / User API: threadDelayed 1467Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI21F1.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI200B.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe TID: 4588Thread sleep count: 309 > 30Jump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe TID: 4588Thread sleep count: 54 > 30Jump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe TID: 4980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6444Thread sleep count: 160 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6444Thread sleep count: 76 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 7816Thread sleep count: 154 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 8156Thread sleep count: 56 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 8156Thread sleep count: 46 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 476Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 8156Thread sleep count: 1467 > 30Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.12994682487.0000000004810000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  .NET source code references suspicious native API functions
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.c078ec.4.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (f40cdcc9172e57c6)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=69a721fd-b674-4daa-86be-2f9c571953f8&k=bgiaaackaabsu0exaagaaaeaaqdx5hihfbq7xnz7ziur93mhza2t4colt7txcnjfouviknbizwl%2brlng8e7lnmyj3fs%2frdlvlbfu11xnjfh1nfsqr%2fz7wgklgi9m0nmzd1z9au%2fkkpmptn190fox94x6g%2bssvcnazzn2lrbb3le5vmwl7b9cvxu3oyskv%2fhb4lrazqrxpu%2bk%2b6yae74%2f2gcrhelmuoj7vqvtiya8y63drial69u%2bpybfgopfp4%2baifprp4zokdjucwgif2n%2f0km%2f2ncoazoh6morspbr3sp04g%2biar7xflzbi2y%2b6xuva8que%2baquznpu0qnkpivt86mq%2bz9ip8m9ikptevrx2mxrpjm"
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.4.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.4.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_04C22700 CreateNamedPipeW,9_2_04C22700
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 9_2_00B84C60 RtlGetVersion,9_2_00B84C60
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: Yara matchFile source: SecuredOnedrive.ClientSetup.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.2.SecuredOnedrive.ClientSetup.exe.5440000.8.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.ScreenConnect.WindowsClient.exe.267cee0.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.0.ScreenConnect.WindowsClient.exe.240000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.SecuredOnedrive.ClientSetup.exe.5440000.8.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.75c3d4.3.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.785db0.5.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.6d63d4.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.6c0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.11746741885.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.12973476702.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: SecuredOnedrive.ClientSetup.exe PID: 7700, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6908, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 3344, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF037C1DC12B91FF6C.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\SystemTemp\~DFDE52A21268E62328.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF9375DC9A1BC3D00B.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF953711672F9C7658.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\SystemTemp\~DF395819C9C25174D8.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF35717DA52A2C51D3.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\4f19c2.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSI1E07.tmp, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Valid Accounts                                  		1
                                  Native API                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Disable or Modify Tools                                  		OS Credential Dumping11
                                  Peripheral Device Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		22
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomains1
                                  Replication Through Removable Media                                  		12
                                  Command and Scripting Interpreter                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory1
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Application Layer Protocol                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain AccountsAt1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Obfuscated Files or Information                                  		Security Account Manager14
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive2
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  Valid Accounts                                  		1
                                  Valid Accounts                                  		1
                                  Software Packing                                  		NTDS1
                                  Security Software Discovery                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		1
                                  Timestomp                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                  Bootkit                                  		2
                                  Windows Service                                  		1
                                  DLL Side-Loading                                  		Cached Domain Credentials31
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items13
                                  Process Injection                                  		1
                                  DLL Search Order Hijacking                                  		DCSync1
                                  Application Window Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  File Deletion                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                  Masquerading                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                                  Valid Accounts                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                  Modify Registry                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                  Access Token Manipulation                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers31
                                  Virtualization/Sandbox Evasion                                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job13
                                  Process Injection                                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                                  Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                                  Hidden Users                                  		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification
                                  Identify RolesWeb ServicesMasquerade as Legitimate ApplicationJavaScriptValid AccountsDynamic-link Library Injection1
                                  Bootkit                                  		Brute ForceCloud GroupsAttack PC via USB ConnectionEmail Forwarding RuleMulti-hop ProxyExfiltration Over Web ServiceEndpoint Denial of Service
                                  Gather Victim Host InformationServerlessDrive-By CompromiseNetwork Device CLIDefault AccountsPortable Executable Injection1
                                  Rundll32                                  		Password GuessingSystem Information DiscoveryExploitation of Remote ServicesClipboard DataDomain FrontingExfiltration to Code RepositoryOS Exhaustion Flood

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582217 Sample: SecuredOnedrive.ClientSetup.exe Startdate: 30/12/2024 Architecture: WINDOWS Score: 66 53 server-nixce85832f-relay.screenconnect.com 2->53 55 instance-cb2j07-relay.screenconnect.com 2->55 61 Multi AV Scanner detection for submitted file 2->61 63 .NET source code contains potential unpacker 2->63 65 .NET source code references suspicious native API functions 2->65 67 4 other signatures 2->67 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 17 19 2->12         started        15 SecuredOnedrive.ClientSetup.exe 5 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 35 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->35 dropped 37 C:\...\ScreenConnect.ClientService.exe, PE32 8->37 dropped 39 C:\Windows\Installer\MSI21F1.tmp, PE32 8->39 dropped 41 9 other files (none is malicious) 8->41 dropped 69 Enables network access during safeboot for specific services 8->69 71 Modifies security policies related information 8->71 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        57 server-nixce85832f-relay.screenconnect.com 145.40.105.136, 443, 65324, 65325 BREEDBANDDELFTNL Netherlands 12->57 73 Reads the Security eventlog 12->73 75 Reads the System eventlog 12->75 25 ScreenConnect.WindowsClient.exe 2 12->25         started        77 Contains functionality to hide user accounts 15->77 28 msiexec.exe 8 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 10 19->31         started        79 Contains functionality to hide user accounts 25->79 43 C:\Users\user\AppData\Local\...\MSI159B.tmp, PE32 28->43 dropped signatures10 process11 file12 45 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->45 dropped 47 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->47 dropped 49 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->49 dropped 51 4 other files (none is malicious) 31->51 dropped 59 Contains functionality to hide user accounts 31->59 signatures13

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  SecuredOnedrive.ClientSetup.exe26%VirustotalBrowse
                                  SecuredOnedrive.ClientSetup.exe24%ReversingLabsWin32.PUA.ConnectWise

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSI200B.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSI21F1.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://instance-cb2j07-relay.screenconnect.com:443/H0%Avira URL Cloudsafe
                                  https://feedback.screenconnect.com/Feedback.axd0%Avira URL Cloudsafe
                                  http://instance-cb2j07-relay.screenconnect.com:443/0%Avira URL Cloudsafe
                                  http://instance-cb2j07-relay.screenconnect.com:443/40%Avira URL Cloudsafe
                                  http://instance-cb2j07-relay.screenconnect.com:443/0#0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  fp2e7a.wpc.phicdn.net
                                  		192.229.221.95
                                  		truefalse
                                    		high
                                    server-nixce85832f-relay.screenconnect.com
                                    		145.40.105.136
                                    		truefalse
                                      		unknown
                                      instance-cb2j07-relay.screenconnect.com
                                      		unknown
                                      		unknownfalse
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://instance-cb2j07-relay.screenconnect.com:443/4ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://wixtoolset.org/releases/rundll32.exe, 00000006.00000003.11746613640.0000000005183000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr, Microsoft.Deployment.Compression.Cab.dll.6.drfalse
                                          		high
                                          http://instance-cb2j07-relay.screenconnect.com:443/HScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://instance-cb2j07-relay.screenconnect.com:443/hScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://wixtoolset.org/news/rundll32.exe, 00000006.00000003.11746613640.0000000005183000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr, Microsoft.Deployment.Compression.Cab.dll.6.drfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000009.00000002.12974113700.00000000013F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://instance-cb2j07-relay.screenconnect.com:443/0#ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://instance-cb2j07-relay.screenconnect.com:443/ScreenConnect.ClientService.exe, 00000009.00000002.12970685169.000000000066A000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.0000000001604000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.0000000001778000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.00000000014B9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.12974113700.00000000017A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000006.00000003.11746613640.0000000005183000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.0000000005281000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.11746152716.00000000052F0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.6.dr, Microsoft.Deployment.Compression.Cab.dll.6.drfalse
                                                  		high
                                                  https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.6.drfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.4.drfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    145.40.105.136
                                                    		server-nixce85832f-relay.screenconnect.comNetherlands
                                                    		34108BREEDBANDDELFTNLfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1582217
                                                    Start date and time:2024-12-30 03:53:41 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 7m 49s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                    Number of analysed new started processes analysed:41
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:SecuredOnedrive.ClientSetup.exe
                                                    Detection:MAL
                                                    Classification:mal66.evad.winEXE@16/58@3/1
                                                    EGA Information:
                                                    • Successful, ratio: 50%
                                                    HCA Information:
                                                    • Successful, ratio: 72%
                                                    • Number of executed functions: 164
                                                    • Number of non-executed functions: 1
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, appidcertstorecheck.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 204.79.197.203, 184.28.90.27, 4.245.163.56, 20.31.169.57, 20.190.159.0
                                                    • Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, ocsp.digicert.com, login.live.com, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com
                                                    • Execution Graph export aborted for target SecuredOnedrive.ClientSetup.exe, PID 7700 because it is empty
                                                    • Execution Graph export aborted for target rundll32.exe, PID 6908 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    21:54:47API Interceptor1x Sleep call for process: ScreenConnect.ClientService.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    145.40.105.136$RUX313H.exeGet hashmaliciousScreenConnect Tool NeshtaBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      server-nixce85832f-relay.screenconnect.com$RUX313H.exeGet hashmaliciousScreenConnect Tool NeshtaBrowse
                                                      • 145.40.105.136
                                                      fp2e7a.wpc.phicdn.netdsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                      • 192.229.221.95
                                                      KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                                                      • 192.229.221.95
                                                      2GL073z1wL.exeGet hashmaliciousUnknownBrowse
                                                      • 192.229.221.95
                                                      installer64v1.0.0.msiGet hashmaliciousUnknownBrowse
                                                      • 192.229.221.95
                                                      test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                      • 192.229.221.95
                                                      FIyDwZM4OR.exeGet hashmaliciousUnknownBrowse
                                                      • 192.229.221.95
                                                      ZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                                      • 192.229.221.95
                                                      rpDOUhuBC5.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 192.229.221.95
                                                      http://volmar.sinformations.cfdGet hashmaliciousUnknownBrowse
                                                      • 192.229.221.95
                                                      OTRykEzo6o.exeGet hashmaliciousUnknownBrowse
                                                      • 192.229.221.95

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      BREEDBANDDELFTNLxd.ppc.elfGet hashmaliciousMiraiBrowse
                                                      • 145.36.168.250
                                                      nabmips.elfGet hashmaliciousUnknownBrowse
                                                      • 145.43.245.107
                                                      mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 145.32.35.137
                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 145.43.203.176
                                                      armv4l.elfGet hashmaliciousUnknownBrowse
                                                      • 145.41.61.230
                                                      IGz.arm.elfGet hashmaliciousMiraiBrowse
                                                      • 145.41.209.2
                                                      arm7.nn-20241213-0355.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 145.43.183.140
                                                      mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 145.42.56.166
                                                      loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                      • 145.43.96.120
                                                      splmips.elfGet hashmaliciousUnknownBrowse
                                                      • 145.41.127.177

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dllNotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                            file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                              file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        Support.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dllNotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                                  file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                                    dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                      dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                          estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                            Support.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                              Created / dropped Files

                                                                                              C:\Config.Msi\4f19c2.rbs

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:modified
                                                                                              Size (bytes):219531
                                                                                              Entropy (8bit):6.582005971194898
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:469LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGt:46uH2aCGw1ST1wQLdqvt
                                                                                              MD5:988A7A299BD5291C9C0231CDAE7176C5
                                                                                              SHA1:2A1F25043F4765AB6BA988E0B48E5661847C2394
                                                                                              SHA-256:6534D920DE7DA263040CBEEF83309774D291FEC837B078754F302E72B7837CFD
                                                                                              SHA-512:FE653320AAD4DC778064DB603436A8EA9A1AB6279C3C17DBA3B06D2B34B2743CD1BAD0FF3F07F50E9263FFFF5C29580A9FB0CC3B13E1012D598C8DEDE219DE98
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\4f19c2.rbs, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Preview:...@IXOS.@.....@..Y.@.....@.....@.....@.....@.....@......&.{7194EC79-79EF-CD38-454E-84482F62C93C}'.ScreenConnect Client (f40cdcc9172e57c6)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{7194EC79-79EF-CD38-454E-84482F62C93C}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (f40cdcc9172e57c6)......Rollback..Rolling back action: [1]....RollbackCleanup..Removing backup files File: [1]....ProcessComponents..Updating component registration..&.{F3F5E099-6EBE-0C3F-2261-B5C7F8C1CAEE}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{24139418-7B3F-A718-21A9-7B6042F6E38E}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{68BD4989-F8AD-BF77-90EC-79188BCD6689}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{30136DC6-9BF8-3798-D11E-EAEB284AA8B9}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{7DE967B9-6D28-1F0A-661A-7327220B1398}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{96E1AE58-35C4-800C-C551-0AB5E6E20551}&.{7194EC79-79EF-CD38-454E

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\Client.en-US.resources

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):50133
                                                                                              Entropy (8bit):4.759054454534641
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                              MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                              SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                              SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                              SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                              Malicious:false
                                                                                              Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\Client.resources

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):26722
                                                                                              Entropy (8bit):7.7401940386372345
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                              MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                              SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                              SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                              SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                              Malicious:false
                                                                                              Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):197120
                                                                                              Entropy (8bit):6.586775768189165
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                              MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                              SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                              SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                              SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Joe Sandbox View:
                                                                                              • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                              • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                              • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                              • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                              • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                              • Filename: Support.ClientSetup.exe, Detection: malicious, Browse
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):68096
                                                                                              Entropy (8bit):6.06942231395039
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                              MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                              SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                              SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                              SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Joe Sandbox View:
                                                                                              • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                              • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                              • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                              • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                              • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                              • Filename: Support.ClientSetup.exe, Detection: malicious, Browse
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):95512
                                                                                              Entropy (8bit):6.504684691533346
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                              MD5:75B21D04C69128A7230A0998086B61AA
                                                                                              SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                              SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                              SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):548864
                                                                                              Entropy (8bit):6.034211651049746
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                              MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                              SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                              SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                              SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1721856
                                                                                              Entropy (8bit):6.639085961200334
                                                                                              Encrypted:false
                                                                                              SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                              MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                              SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                              SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                              SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):260168
                                                                                              Entropy (8bit):6.416438906122177
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                              MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                              SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                              SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                              SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):61208
                                                                                              Entropy (8bit):6.310126082367387
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                              MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                              SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                              SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                              SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):266
                                                                                              Entropy (8bit):4.842791478883622
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                              MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                              SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                              SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                              SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):602392
                                                                                              Entropy (8bit):6.176232491934078
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                              MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                              SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                              SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                              SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe.config

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):266
                                                                                              Entropy (8bit):4.842791478883622
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                              MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                              SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                              SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                              SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):842248
                                                                                              Entropy (8bit):6.268561504485627
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                              MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                              SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                              SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                              SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exe

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):81688
                                                                                              Entropy (8bit):5.8618809599146005
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                              MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                              SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                              SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                              SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exe.config

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):266
                                                                                              Entropy (8bit):4.842791478883622
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                              MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                              SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                              SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                              SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\app.config

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1777
                                                                                              Entropy (8bit):4.70680553867855
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:Oh95AfdH85AfdHH/dHS/dHjdH6dH/dHAdHadGHjdGHeGH3dHYOdHX:o92H82HVHeHZHUH1HyHlHgHNHtHDHX
                                                                                              MD5:A010CA07B19C21154177D245E78342B5
                                                                                              SHA1:3EE27D15FEC2098E8C4FBB4605F087A0FBD0E9AC
                                                                                              SHA-256:4528078B8513B04BE7CDE2EE067E353D90F1F2416E29F0B70816DDA33246BC1D
                                                                                              SHA-512:24DCF96DF91AFBEBB42A9DCEB5AD1724F5389A17FB3E3E4D9D561C5D401CCBC18D5814160A12E8FE66301F18F22B37DAE840F850304BB7632FFEA1988358993F
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnHide" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnHide" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowSystemTrayIcon" serializeAs="String">.. <value>false

                                                                                              C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\system.config

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with very long lines (488), with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):978
                                                                                              Entropy (8bit):5.787685549884293
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:2dL9hK6E4dl/5AuvO3rVE82sbVu7z43vH:chh7HH51G3BVVL3v
                                                                                              MD5:744B58801E892B340A7B27F2C0B0EA3B
                                                                                              SHA1:4612A4E5AE1D0CFE7B5F865E71FF059CC2867D19
                                                                                              SHA-256:B47280986E7ADC3396EA0A657601B7717653D1E44748EB1A042A2E38A1EE2BB1
                                                                                              SHA-512:5341082D08D0C1BA0FF3BADFD193C854BA9F197BB6B995ACAB61C52DEFB8FC3EA88A12A3BB90C81F9DF37ED728CC67BCDBFC5B3529C0BB4EF46B18B0B18539BB
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=instance-cb2j07-relay.screenconnect.com&amp;p=443&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                              Category:dropped
                                                                                              Size (bytes):1088392
                                                                                              Entropy (8bit):7.789940577622617
                                                                                              Encrypted:false
                                                                                              SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                              MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                              SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                              SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                              SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\CustomAction.config

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):234
                                                                                              Entropy (8bit):4.977464602412109
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                              MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                              SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                              SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                              SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                              Malicious:false
                                                                                              Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):49152
                                                                                              Entropy (8bit):4.62694170304723
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                              MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                              SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                              SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                              SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.Compression.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):36864
                                                                                              Entropy (8bit):4.340550904466943
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                              MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                              SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                              SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                              SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):57344
                                                                                              Entropy (8bit):4.657268358041957
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                              MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                              SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                              SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                              SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):176128
                                                                                              Entropy (8bit):5.775360792482692
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                              MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                              SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                              SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                              SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Core.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):548864
                                                                                              Entropy (8bit):6.034211651049746
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                              MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                              SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                              SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                              SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.InstallerActions.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):11776
                                                                                              Entropy (8bit):5.273875899788767
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                              MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                              SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                              SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                              SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                              C:\Users\user\AppData\Local\Temp\MSI159B.tmp-\ScreenConnect.Windows.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1721856
                                                                                              Entropy (8bit):6.639085961200334
                                                                                              Encrypted:false
                                                                                              SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                              MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                              SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                              SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                              SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                              C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe
                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7194EC79-79EF-CD38-454E-84482F62C93C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                              Category:dropped
                                                                                              Size (bytes):9920512
                                                                                              Entropy (8bit):7.960979464014877
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:pwJ4t1h0cG5FGJRPxow8OnwJ4t1h0cG5KwJ4t1h0cG5UwJ4t1h0cG5MwJ4t1h0cW:WWh0cGwOWh0cGRWh0cGHWh0cG/Wh0cG
                                                                                              MD5:82880DDDD1A2D09B1C624A466E66A4E0
                                                                                              SHA1:F2F01FB246D0558FA67626797B6D760C296B865D
                                                                                              SHA-256:517F338BFAE7DA39C2EAE61F559B433D05A719893762D6A7076D18D21FE036FB
                                                                                              SHA-512:00842BFCD27FE03A2765FD29E33611E6651424DD609E0FEE3D4738DCA074BE2CEF7D94F0F8A2EF8F92E3DA8F418C0F775B65876763A44885C2236A20D311F110
                                                                                              Malicious:false
                                                                                              Preview:......................>.......................................................|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Installer\4f19c1.msi

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7194EC79-79EF-CD38-454E-84482F62C93C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                              Category:dropped
                                                                                              Size (bytes):9920512
                                                                                              Entropy (8bit):7.960979464014877
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:pwJ4t1h0cG5FGJRPxow8OnwJ4t1h0cG5KwJ4t1h0cG5UwJ4t1h0cG5MwJ4t1h0cW:WWh0cGwOWh0cGRWh0cGHWh0cG/Wh0cG
                                                                                              MD5:82880DDDD1A2D09B1C624A466E66A4E0
                                                                                              SHA1:F2F01FB246D0558FA67626797B6D760C296B865D
                                                                                              SHA-256:517F338BFAE7DA39C2EAE61F559B433D05A719893762D6A7076D18D21FE036FB
                                                                                              SHA-512:00842BFCD27FE03A2765FD29E33611E6651424DD609E0FEE3D4738DCA074BE2CEF7D94F0F8A2EF8F92E3DA8F418C0F775B65876763A44885C2236A20D311F110
                                                                                              Malicious:false
                                                                                              Preview:......................>.......................................................|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Installer\4f19c3.msi

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7194EC79-79EF-CD38-454E-84482F62C93C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                              Category:dropped
                                                                                              Size (bytes):9920512
                                                                                              Entropy (8bit):7.960979464014877
                                                                                              Encrypted:false
                                                                                              SSDEEP:98304:pwJ4t1h0cG5FGJRPxow8OnwJ4t1h0cG5KwJ4t1h0cG5UwJ4t1h0cG5MwJ4t1h0cW:WWh0cGwOWh0cGRWh0cGHWh0cG/Wh0cG
                                                                                              MD5:82880DDDD1A2D09B1C624A466E66A4E0
                                                                                              SHA1:F2F01FB246D0558FA67626797B6D760C296B865D
                                                                                              SHA-256:517F338BFAE7DA39C2EAE61F559B433D05A719893762D6A7076D18D21FE036FB
                                                                                              SHA-512:00842BFCD27FE03A2765FD29E33611E6651424DD609E0FEE3D4738DCA074BE2CEF7D94F0F8A2EF8F92E3DA8F418C0F775B65876763A44885C2236A20D311F110
                                                                                              Malicious:false
                                                                                              Preview:......................>.......................................................|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Installer\MSI1E07.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):423615
                                                                                              Entropy (8bit):6.577828620834553
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:juH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvw:juH2anwohwQUv5uH2anwohwQUvw
                                                                                              MD5:9C086A38AD07A28347D502F74552486A
                                                                                              SHA1:E63D0CA2CFB6F04B372F982868CEC31DE44217BD
                                                                                              SHA-256:E1E190993FA5C2B0668C773A9F9849F20DB060E55B8F22A065807A224C43D982
                                                                                              SHA-512:DD08A30D409E436B34F258BF4889061F41BAB0A88522B2D02775061F495953B27C6D3BFE3491A5CB6AFACDFEE6EADE7B4EE3A777F917B730E689A488F88CA0EA
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI1E07.tmp, Author: Joe Security
                                                                                              Preview:...@IXOS.@.....@..Y.@.....@.....@.....@.....@.....@......&.{7194EC79-79EF-CD38-454E-84482F62C93C}'.ScreenConnect Client (f40cdcc9172e57c6)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{7194EC79-79EF-CD38-454E-84482F62C93C}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (f40cdcc9172e57c6)......Rollback..Rolling back action: [1]....RollbackCleanup..Removing backup files File: [1].....@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F3F5E099-6EBE-0C3F-2261-B5C7F8C1CAEE}^.C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{24139418-7B3F-A718-21A9-7B6042F6E38E}f.C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{68BD4989-F8AD-BF77-90EC-79188BCD6689}c.C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFile

                                                                                              C:\Windows\Installer\MSI200B.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):207360
                                                                                              Entropy (8bit):6.573348437503042
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                              MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                              SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                              SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                              SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Installer\MSI21F1.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):207360
                                                                                              Entropy (8bit):6.573348437503042
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                              MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                              SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                              SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                              SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Installer\SourceHash{7194EC79-79EF-CD38-454E-84482F62C93C}

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):1.1719341169739064
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:JSbX72FjMdAGiLIlHVRpIh/7777777777777777777777777vDHFqbcjp7rl0i8Q:JSQI5w7AF
                                                                                              MD5:E08A773C428B058D9C044E9D7E2CB07B
                                                                                              SHA1:E7982432A31A567F16F7592A807D381A5BE4F41F
                                                                                              SHA-256:AD9AB078FB20583D29CE1DC6786209E16F40DD8A5BB0DDD503FE7EC2B694E980
                                                                                              SHA-512:89AA4F204C0C9FA2F04878D97A57DE8CA6B8FB84D12D5413FDD329BE63F84E2A9863A57BEAFA6D6D98F466D44821BBF30AFA4FF5B43A293A0BCD375FF0785E7A
                                                                                              Malicious:false
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):1.810392767236109
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:J8PhMuRc06WXzuFT5kkBBPqcq56Adu/CSidzl7GMduQkE7usWC/ViTEl5bIar2AJ:EhM1zFTGUiprfP1dfH7rWCQQnIMfp
                                                                                              MD5:D3D21E0BDA21632913B6A5C9D21C7431
                                                                                              SHA1:5B78355C52A6D9491553A5CF0F3C9660CCA3CCF8
                                                                                              SHA-256:60505172A9ED16818B09C7A7E5E164A5C15E400DF9FA065B3D216D538174ED4F
                                                                                              SHA-512:FC1A7D3B0858EC5AC9DE6C46AF562C5879C4B37EB56FD7DED4136FA194B1E454B163E2B318811951E4506B0DCF852701E7DBA358E0B40EC04B60947804D5F0A8
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Installer\{7194EC79-79EF-CD38-454E-84482F62C93C}\DefaultIcon

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                              Category:dropped
                                                                                              Size (bytes):435
                                                                                              Entropy (8bit):5.289734780210945
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                              MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                              SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                              SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                              SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                              Malicious:false
                                                                                              Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):455581
                                                                                              Entropy (8bit):5.3817603012870405
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:CpI1rhwukl2UFY+ikDR9KjVWHq+BqLBOhajc9ijF2JtsxcBS1J3BM0Aa+iVbwebi:DKboSB9
                                                                                              MD5:FE45A0B54775E3D69E763CD7A6CA5326
                                                                                              SHA1:043D52664C229F41DD520975C0179E7CF84BEA94
                                                                                              SHA-256:984D090DDA39EC74A77093C657B74C138D315A13B63398893353659C5FC104A2
                                                                                              SHA-512:94509ECF3BDBBBE840ED2E368CBEF9D80CD42D0FCF8A5C79B349E6F8B1BFCF9B90159D558E40890E92329060DE5624EA43ECF913D2C1F7A50F76705AA28FD869
                                                                                              Malicious:false
                                                                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..05/07/2022 07:40:26.485 [3724]: Command line: D:\wd\compilerTemp\BMT.ijbjbjy2.cay\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..05/07/2022 07:40:26.516 [3724]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..05/07/2022 07:40:26.547 [3724]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..05/07/2022 07:40:26.547 [3724]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..05/07/2022 07:40:26.547 [

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\2bpnbhce.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.0364985393709425
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vym/vXbAa3xT:2dL9hK6E46YPRj618vH
                                                                                              MD5:5FDD6AA2F7F32DDCC95B23DF58A63232
                                                                                              SHA1:7E62504D5ACE2FAB1877BF12E8B1176D2CD02699
                                                                                              SHA-256:EC71BAC0B89F0D0971056A7DED98567DFE526C17061A01EB9167B3EBF74BF01B
                                                                                              SHA-512:0FD3DEAF8F7691E2810F8F9A91500A0382AB8726596D77499D9038F9CBD44D526BF9BA3FE816B0CA7CBAECD0DBED7F342928B64DE2A8CFDF10D42D9F93859A7F
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a55%3a58</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\2y1yzdta.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.035835948665124
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vy+/vXbAa3xT:2dL9hK6E46YPRj61kvH
                                                                                              MD5:FDAC39F64352A69608B495852939D178
                                                                                              SHA1:033897EEF4271B057FD1046AF26447A1E38B9840
                                                                                              SHA-256:8E4EAE991D013F5DE0822FB1E817FB41BEEB2ACC9E69F698BD0C12618A19FEF5
                                                                                              SHA-512:9EFDD9B69718D175B01CBB4B7640B06B80FA35484C7B7367B50847428DBDB52B3ABBFF37237E060D33194EF293D7EB9F06E159724AF0AF1D2D6D129C851CECAC
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a55%3a29</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\53uhxhoa.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.032528139376698
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vy5/vXbAa3xT:2dL9hK6E46YPRj61RvH
                                                                                              MD5:C8B9A9A60DBC14D1513C4F874244EF11
                                                                                              SHA1:CE4CBE2253AC5EE34D3A2D597FDB6A6D365AC955
                                                                                              SHA-256:113028452A5B45682F5C6AA641CC9F500F6EAB2008C7F11BB8403A5D932A0E5A
                                                                                              SHA-512:C5AABD74857ACB4FE2854CF4DF009A6941C5103BA6FA15484670EC37B2FBC5EA90DA5A112D57EAE2FD223E077697B003946465AC37E1744BCD785AD7C1038216
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a55%3a22</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\dycq24ab.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.035660547925348
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5voHv/vXbAa3xT:2dL9hK6E46YPRj6PXvH
                                                                                              MD5:22279F9406238E4CF41D64EBE4D95534
                                                                                              SHA1:9F00FD22A2D9DC2BDA72C2B68C75B8CA62A53522
                                                                                              SHA-256:A0DBE225C8DA324A84859C4520F7BF9F85DDB535AEB6C10BDC45012B13E1AC93
                                                                                              SHA-512:38E3AD7770D27F2349B02E85AB20AE1DF8741F5F7FD1C7C2ADF4D0DBE76AB87F6ED1417B7F7CD577772CFF1BB602BFD61639332B2B169926502A50DA427E0ABC
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a54%3a47</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\paumg2ll.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.033465312856725
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5voO/vXbAa3xT:2dL9hK6E46YPRj6P0vH
                                                                                              MD5:5E4BC5FD8495DFBFFC242AF4A1E79F52
                                                                                              SHA1:49DDBC19A29724AFD27B27DA07798CA1EB7951F3
                                                                                              SHA-256:707A9EF9259A922FEB1671E1FD41FF66752ABE5F60847F9BD64806C7CFA1C120
                                                                                              SHA-512:A6D24BCDEE45B531EEE9BEB0F92F5D6BE19CD2C7A34C2C179A653CABB57B763131D74A24E52DBA226D747E2F47C7030EFC353F2842ABB38D084469E8ADC8347C
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a54%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\user.config (copy)

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.033465312856725
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5voO/vXbAa3xT:2dL9hK6E46YPRj6P0vH
                                                                                              MD5:5E4BC5FD8495DFBFFC242AF4A1E79F52
                                                                                              SHA1:49DDBC19A29724AFD27B27DA07798CA1EB7951F3
                                                                                              SHA-256:707A9EF9259A922FEB1671E1FD41FF66752ABE5F60847F9BD64806C7CFA1C120
                                                                                              SHA-512:A6D24BCDEE45B531EEE9BEB0F92F5D6BE19CD2C7A34C2C179A653CABB57B763131D74A24E52DBA226D747E2F47C7030EFC353F2842ABB38D084469E8ADC8347C
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a54%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\uwgc4rdl.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.032926395943882
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vyMc/vXbAa3xT:2dL9hK6E46YPRj61pvH
                                                                                              MD5:092E0346C5E4879035337220519AB79A
                                                                                              SHA1:83F1F93CFD9AC716059168A436DD3D662A28663E
                                                                                              SHA-256:0C516242DBA7753FE47F166AEA6717E6F40FF0862D3B94815ED5347289F40894
                                                                                              SHA-512:B47AB646B6120331028E3273AFF5F2840CEEB4F7EC4FE83E1A31427B2EBC4E29E4DEA934D028AFE22A7EAB8A2F7D4C128F8138D658BED021B7081EEA25178303
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a55%3a40</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\yo0gx5ud.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.037793635892006
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vy5/vXbAa3xT:2dL9hK6E46YPRj6DRvH
                                                                                              MD5:D9A8E4017583FCD1D43A2359D3B23A5F
                                                                                              SHA1:6ADA37AAF64A69D91556BF9BD80A50FC363AB2C7
                                                                                              SHA-256:0E2AEF7DBA941045B484FACACCFDB8D4AFCFB2356265C2D0E283E615B725ED2A
                                                                                              SHA-512:CF53044868AC840F40B09DD7D6FEEA248F0B6D7E3376BD491753A0809CEC33F9C09FCA04FD9AA7D6D27AAE0C58AB0CC9309807F7CD53187C902C8D8979B58B02
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a56%3a29</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\yrjwb4lb.newcfg

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):585
                                                                                              Entropy (8bit):5.0337743888693485
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5voRm/vXbAa3xT:2dL9hK6E46YPRj6PR8vH
                                                                                              MD5:D36A24275E77F609ECB601975C6933A1
                                                                                              SHA1:86A736D7477462DA4F53FA74C995752B0469F056
                                                                                              SHA-256:A801604E56D1A621258D9553DE3021DD8A074934BDB3DEF6639FD59D5D013D26
                                                                                              SHA-512:CE103A381FE085FA2A7177FC96E646E2FB5126CC44D6B1751024DC6E3E907B1425F5656364A162B538924B0EF987F05E0875315A1FB6F2BE3A7479B10C751041
                                                                                              Malicious:false
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2002%3a54%3a44</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                              C:\Windows\SystemTemp\~DF0DB588100E6C382A.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):512
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3::
                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                              Malicious:false
                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\SystemTemp\~DF395819C9C25174D8.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):69632
                                                                                              Entropy (8bit):0.23832692989295343
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:PYUtLMDBAdu/CS3qcq56Adu/CSidzl7GMduQkE7usWC/ViTEl5bIarkykB:gARxprfP1dfH7rWCQQnILy
                                                                                              MD5:BA7C16E399ED059A36E0335DC93A153A
                                                                                              SHA1:9A3FF70E569AA263ADE59BFA2D08FA5AF82D802C
                                                                                              SHA-256:C251170728B0194FDC1024CF4308CA5ACC15C9B9B4C35BE78436F30BEF7EED19
                                                                                              SHA-512:B02A1B067AF626C089C557A76FDF469B6612772AC82B17E7D311DD8A9694B9454AFCFB1EF228AF792196C0DAFC07F9329535EF131157413F8F0500B9C665B398
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\SystemTemp\~DF395819C9C25174D8.TMP, Author: Joe Security
                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\SystemTemp\~DFA7FBC49C0BC51618.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):32768
                                                                                              Entropy (8bit):0.07737110662085729
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOgDbXsTHZqjSKChiVky6l51:2F0i8n0itFzDHFqbcjp7r
                                                                                              MD5:23CD5BC9C9E3CFA6DF98D2177DAEC21E
                                                                                              SHA1:B648F760EBB611056CB3C4C147FE9A2C3D299F68
                                                                                              SHA-256:9CC7F66D07429154F1DEABDC405152765156812EAACDC9030165BE5FD6910D1B
                                                                                              SHA-512:FDDEE2387738F34502F86E744D0512A5FA05D7285CE35848F7F03A4D23467F6914664064B4A89BF0A6E1A2610190960FC8AA613F4DD010B5D0D34015034475E8
                                                                                              Malicious:false
                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\SystemTemp\~DFDE52A21268E62328.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):1.810392767236109
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:J8PhMuRc06WXzuFT5kkBBPqcq56Adu/CSidzl7GMduQkE7usWC/ViTEl5bIar2AJ:EhM1zFTGUiprfP1dfH7rWCQQnIMfp
                                                                                              MD5:D3D21E0BDA21632913B6A5C9D21C7431
                                                                                              SHA1:5B78355C52A6D9491553A5CF0F3C9660CCA3CCF8
                                                                                              SHA-256:60505172A9ED16818B09C7A7E5E164A5C15E400DF9FA065B3D216D538174ED4F
                                                                                              SHA-512:FC1A7D3B0858EC5AC9DE6C46AF562C5879C4B37EB56FD7DED4136FA194B1E454B163E2B318811951E4506B0DCF852701E7DBA358E0B40EC04B60947804D5F0A8
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\SystemTemp\~DFDE52A21268E62328.TMP, Author: Joe Security
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DF037C1DC12B91FF6C.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):1.810392767236109
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:J8PhMuRc06WXzuFT5kkBBPqcq56Adu/CSidzl7GMduQkE7usWC/ViTEl5bIar2AJ:EhM1zFTGUiprfP1dfH7rWCQQnIMfp
                                                                                              MD5:D3D21E0BDA21632913B6A5C9D21C7431
                                                                                              SHA1:5B78355C52A6D9491553A5CF0F3C9660CCA3CCF8
                                                                                              SHA-256:60505172A9ED16818B09C7A7E5E164A5C15E400DF9FA065B3D216D538174ED4F
                                                                                              SHA-512:FC1A7D3B0858EC5AC9DE6C46AF562C5879C4B37EB56FD7DED4136FA194B1E454B163E2B318811951E4506B0DCF852701E7DBA358E0B40EC04B60947804D5F0A8
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF037C1DC12B91FF6C.TMP, Author: Joe Security
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DF35717DA52A2C51D3.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):32768
                                                                                              Entropy (8bit):1.4278261546133846
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:QpkuQth8FXzvT5aUMkBBPqcq56Adu/CSidzl7GMduQkE7usWC/ViTEl5bIar2Adj:QkyRTo3UiprfP1dfH7rWCQQnIMfp
                                                                                              MD5:362A49FCD215992B749BC90390661FC5
                                                                                              SHA1:8F6234202EA445F6315D9FD5D4BFA3DDC4BD9D3B
                                                                                              SHA-256:E1C9516E68DD38A862AD087A5BE5878F92C4C33E8A017992BB392D12C82CA657
                                                                                              SHA-512:162DFC2E0A53AD52CE8625548CE7CCC4187AE4150F70E815A03AB03280EBC38871A1C685E4B9ADC703E2975F0F5A017A0C3BCB0DABC939286E41A06EEBCAF6A9
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF35717DA52A2C51D3.TMP, Author: Joe Security
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DF4208FFB284EE4F72.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):512
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3::
                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                              Malicious:false
                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DF8D3451290974FD60.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):512
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3::
                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                              Malicious:false
                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DF9375DC9A1BC3D00B.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):32768
                                                                                              Entropy (8bit):1.4278261546133846
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:QpkuQth8FXzvT5aUMkBBPqcq56Adu/CSidzl7GMduQkE7usWC/ViTEl5bIar2Adj:QkyRTo3UiprfP1dfH7rWCQQnIMfp
                                                                                              MD5:362A49FCD215992B749BC90390661FC5
                                                                                              SHA1:8F6234202EA445F6315D9FD5D4BFA3DDC4BD9D3B
                                                                                              SHA-256:E1C9516E68DD38A862AD087A5BE5878F92C4C33E8A017992BB392D12C82CA657
                                                                                              SHA-512:162DFC2E0A53AD52CE8625548CE7CCC4187AE4150F70E815A03AB03280EBC38871A1C685E4B9ADC703E2975F0F5A017A0C3BCB0DABC939286E41A06EEBCAF6A9
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF9375DC9A1BC3D00B.TMP, Author: Joe Security
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DF953711672F9C7658.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                              Category:dropped
                                                                                              Size (bytes):32768
                                                                                              Entropy (8bit):1.4278261546133846
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:QpkuQth8FXzvT5aUMkBBPqcq56Adu/CSidzl7GMduQkE7usWC/ViTEl5bIar2Adj:QkyRTo3UiprfP1dfH7rWCQQnIMfp
                                                                                              MD5:362A49FCD215992B749BC90390661FC5
                                                                                              SHA1:8F6234202EA445F6315D9FD5D4BFA3DDC4BD9D3B
                                                                                              SHA-256:E1C9516E68DD38A862AD087A5BE5878F92C4C33E8A017992BB392D12C82CA657
                                                                                              SHA-512:162DFC2E0A53AD52CE8625548CE7CCC4187AE4150F70E815A03AB03280EBC38871A1C685E4B9ADC703E2975F0F5A017A0C3BCB0DABC939286E41A06EEBCAF6A9
                                                                                              Malicious:false
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF953711672F9C7658.TMP, Author: Joe Security
                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DF9D082B378931C9E2.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):512
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3::
                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                              Malicious:false
                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\~DFED1A4B6E703149B0.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):512
                                                                                              Entropy (8bit):0.0
                                                                                              Encrypted:false
                                                                                              SSDEEP:3::
                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                              Malicious:false
                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.429536247541231
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:SecuredOnedrive.ClientSetup.exe
                                                                                              File size:5'621'992 bytes
                                                                                              MD5:58fe579f71dbeda2fd50c1b046b5f3ef
                                                                                              SHA1:84eeee9907009151ad5efc1074fb5db27bd2977a
                                                                                              SHA256:40cafa4d9e7220f582af1ecc2a4b0ea1ab4b3b76fd83a398a0ebb50eeb5fce7d
                                                                                              SHA512:1db3a9d2d8564fa5d82f67a03b97d33f2e8cd9b92253a519d93ab786ebff9e546299b3e7a1860acbb953cc769853e8a0f075f89db5194006abe9e0bc10d021fc
                                                                                              SSDEEP:49152:HEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:QEs6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                              TLSH:7746E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                              File Icon

                                                                                              Icon Hash:2086969696969600

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x4014ad
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:true
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:1
                                                                                              File Version Major:5
                                                                                              File Version Minor:1
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:1
                                                                                              Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                              Authenticode Signature

                                                                                              Signature Valid:true
                                                                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                              Signature Validation Error:The operation completed successfully
                                                                                              Error Number:0
                                                                                              Not Before, Not After
                                                                                              • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                              Subject Chain
                                                                                              • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                              Version:3
                                                                                              Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                              Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                              Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                              Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              call 00007FF294E4ED6Ah
                                                                                              jmp 00007FF294E4E81Fh
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              push 00000000h
                                                                                              call dword ptr [0040D040h]
                                                                                              push dword ptr [ebp+08h]
                                                                                              call dword ptr [0040D03Ch]
                                                                                              push C0000409h
                                                                                              call dword ptr [0040D044h]
                                                                                              push eax
                                                                                              call dword ptr [0040D048h]
                                                                                              pop ebp
                                                                                              ret
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              sub esp, 00000324h
                                                                                              push 00000017h
                                                                                              call dword ptr [0040D04Ch]
                                                                                              test eax, eax
                                                                                              je 00007FF294E4E9A7h
                                                                                              push 00000002h
                                                                                              pop ecx
                                                                                              int 29h
                                                                                              mov dword ptr [004148D8h], eax
                                                                                              mov dword ptr [004148D4h], ecx
                                                                                              mov dword ptr [004148D0h], edx
                                                                                              mov dword ptr [004148CCh], ebx
                                                                                              mov dword ptr [004148C8h], esi
                                                                                              mov dword ptr [004148C4h], edi
                                                                                              mov word ptr [004148F0h], ss
                                                                                              mov word ptr [004148E4h], cs
                                                                                              mov word ptr [004148C0h], ds
                                                                                              mov word ptr [004148BCh], es
                                                                                              mov word ptr [004148B8h], fs
                                                                                              mov word ptr [004148B4h], gs
                                                                                              pushfd
                                                                                              pop dword ptr [004148E8h]
                                                                                              mov eax, dword ptr [ebp+00h]
                                                                                              mov dword ptr [004148DCh], eax
                                                                                              mov eax, dword ptr [ebp+04h]
                                                                                              mov dword ptr [004148E0h], eax
                                                                                              lea eax, dword ptr [ebp+08h]
                                                                                              mov dword ptr [004148ECh], eax
                                                                                              mov eax, dword ptr [ebp-00000324h]
                                                                                              mov dword ptr [00414828h], 00010001h

                                                                                              Rich Headers

                                                                                              Programming Language:
                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                              • [IMP] VS2008 build 21022

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x166e8
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                              FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                              FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                              FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                              FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                              RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                              Imports

                                                                                              DLLImport
                                                                                              mscoree.dllCorBindToRuntimeEx
                                                                                              KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                              OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishUnited States

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 30, 2024 03:54:43.651762009 CET65324443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:43.651814938 CET44365324145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:43.651997089 CET65324443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:43.827184916 CET65324443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:43.827220917 CET44365324145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:43.827259064 CET44365324145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:45.961611032 CET65325443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:45.961658955 CET44365325145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:45.961749077 CET65325443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:45.966161966 CET65325443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:45.966175079 CET44365325145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:45.966221094 CET44365325145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:48.916196108 CET65326443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:48.916249037 CET44365326145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:48.916317940 CET65326443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:48.918951035 CET65326443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:48.918965101 CET44365326145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:48.919006109 CET44365326145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:53.365494967 CET65329443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:53.365529060 CET44365329145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:53.365701914 CET65329443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:53.368484020 CET65329443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:54:53.368496895 CET44365329145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:54:53.368525028 CET44365329145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:00.647278070 CET65333443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:00.647310972 CET44365333145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:00.647391081 CET65333443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:00.651190042 CET65333443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:00.651205063 CET44365333145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:00.651268959 CET44365333145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:11.598016977 CET65335443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:11.598057985 CET44365335145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:11.598185062 CET65335443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:11.601155043 CET65335443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:11.601175070 CET44365335145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:11.601227045 CET44365335145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:30.006680012 CET65339443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:30.006745100 CET44365339145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:30.006932020 CET65339443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:30.010322094 CET65339443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:55:30.010339022 CET44365339145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:55:30.010400057 CET44365339145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:56:00.452229023 CET65343443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:56:00.452260971 CET44365343145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:56:00.452466965 CET65343443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:56:00.454703093 CET65343443192.168.2.24145.40.105.136
                                                                                              Dec 30, 2024 03:56:00.454724073 CET44365343145.40.105.136192.168.2.24
                                                                                              Dec 30, 2024 03:56:00.454792023 CET44365343145.40.105.136192.168.2.24

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 30, 2024 03:54:43.577128887 CET5521553192.168.2.241.1.1.1
                                                                                              Dec 30, 2024 03:54:43.609863043 CET53552151.1.1.1192.168.2.24
                                                                                              Dec 30, 2024 03:55:29.960679054 CET5521553192.168.2.241.1.1.1
                                                                                              Dec 30, 2024 03:55:29.994236946 CET53552151.1.1.1192.168.2.24
                                                                                              Dec 30, 2024 03:56:00.404778957 CET5521553192.168.2.241.1.1.1
                                                                                              Dec 30, 2024 03:56:00.438858032 CET53552151.1.1.1192.168.2.24

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 30, 2024 03:54:43.577128887 CET192.168.2.241.1.1.10xbb80Standard query (0)instance-cb2j07-relay.screenconnect.comA (IP address)IN (0x0001)false
                                                                                              Dec 30, 2024 03:55:29.960679054 CET192.168.2.241.1.1.10xa0e9Standard query (0)instance-cb2j07-relay.screenconnect.comA (IP address)IN (0x0001)false
                                                                                              Dec 30, 2024 03:56:00.404778957 CET192.168.2.241.1.1.10xd933Standard query (0)instance-cb2j07-relay.screenconnect.comA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 30, 2024 03:54:30.439529896 CET1.1.1.1192.168.2.240x6454No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 30, 2024 03:54:30.439529896 CET1.1.1.1192.168.2.240x6454No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                              Dec 30, 2024 03:54:43.609863043 CET1.1.1.1192.168.2.240xbb80No error (0)instance-cb2j07-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 30, 2024 03:54:43.609863043 CET1.1.1.1192.168.2.240xbb80No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)false
                                                                                              Dec 30, 2024 03:55:29.994236946 CET1.1.1.1192.168.2.240xa0e9No error (0)instance-cb2j07-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 30, 2024 03:55:29.994236946 CET1.1.1.1192.168.2.240xa0e9No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)false
                                                                                              Dec 30, 2024 03:56:00.438858032 CET1.1.1.1192.168.2.240xd933No error (0)instance-cb2j07-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 30, 2024 03:56:00.438858032 CET1.1.1.1192.168.2.240xd933No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)false

                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:21:54:35
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe"
                                                                                              Imagebase:0x6c0000
                                                                                              File size:5'621'992 bytes
                                                                                              MD5 hash:58FE579F71DBEDA2FD50C1B046B5F3EF
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.11746741885.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.11713407286.00000000006D6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:21:54:36
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"
                                                                                              Imagebase:0xde0000
                                                                                              File size:145'408 bytes
                                                                                              MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:21:54:37
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                              Imagebase:0x7ff70edf0000
                                                                                              File size:176'128 bytes
                                                                                              MD5 hash:C0D3BDDE74C1EC82F75681D4D5ED44C8
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:21:54:38
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 77340DACFC52F1F82F48657C600111B3 C
                                                                                              Imagebase:0xde0000
                                                                                              File size:145'408 bytes
                                                                                              MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:21:54:38
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI159B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5183031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                              Imagebase:0x290000
                                                                                              File size:52'224 bytes
                                                                                              MD5 hash:A79FE1974156C5C9ED4331BF78D2DBB1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:21:54:40
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding FC01D66D9C659A0C1A52C9225EB89673
                                                                                              Imagebase:0xde0000
                                                                                              File size:145'408 bytes
                                                                                              MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:21:54:41
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3B616DDBEE16C1106C896B51026D25DE E Global\MSI0000
                                                                                              Imagebase:0xde0000
                                                                                              File size:145'408 bytes
                                                                                              MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:21:54:41
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=69a721fd-b674-4daa-86be-2f9c571953f8&k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM"
                                                                                              Imagebase:0x730000
                                                                                              File size:95'512 bytes
                                                                                              MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:10
                                                                                              Start time:21:54:42
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "2cfdcfba-a2ce-49b7-8617-d9cdd62ec687" "User"
                                                                                              Imagebase:0x240000
                                                                                              File size:602'392 bytes
                                                                                              MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000000.11787110653.0000000000242000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.12973476702.0000000002601000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:32
                                                                                              Start time:21:55:48
                                                                                              Start date:29/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
                                                                                              Imagebase:0x7ff715c70000
                                                                                              File size:79'920 bytes
                                                                                              MD5 hash:8EC922C7A58A8701AB481B7BE9644536
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Executed Functions

                                                                                                Function 02937A30 Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #!$K6$7
                                                                                                • API String ID: 0-185628103
                                                                                                • Opcode ID: 5974d27e1aa1a61d38396a246bf2f3f43a38f85c6b7067a04468fcbed454c483
                                                                                                • Instruction ID: ca603474e77333936480b9e11cdef16199a1fefa35a0596647e6742d67a71e0c
                                                                                                • Opcode Fuzzy Hash: 5974d27e1aa1a61d38396a246bf2f3f43a38f85c6b7067a04468fcbed454c483
                                                                                                • Instruction Fuzzy Hash: 7C51C7747113524BC716E77AE694AEE7BE7EBC82543108A29D906C7348EF70DC018BD4
                                                                                                Function 02937D39 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: cU
                                                                                                • API String ID: 0-2984249731
                                                                                                • Opcode ID: d577eeb37e4b45b49efdea7c51bbc3d265b27c030b5154c3882924e496488699
                                                                                                • Instruction ID: 5a68e3c3605a7ddc1ecf9b67c0f45453e7e492be443f719c879fdda79f29f76d
                                                                                                • Opcode Fuzzy Hash: d577eeb37e4b45b49efdea7c51bbc3d265b27c030b5154c3882924e496488699
                                                                                                • Instruction Fuzzy Hash: A801D6317003175BC721A69AED81BABB7EADB90698F048436E955C7380EF70DC014B94
                                                                                                Function 02937D48 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: cU
                                                                                                • API String ID: 0-2984249731
                                                                                                • Opcode ID: 716e7978260199663d78157c558b23d0dad62acbea2edb11a2dd6e9296148eb7
                                                                                                • Instruction ID: 036df465a5db7a2e3cf9ccb8a38075526afe7b76e83c98da2c06bfb658e93283
                                                                                                • Opcode Fuzzy Hash: 716e7978260199663d78157c558b23d0dad62acbea2edb11a2dd6e9296148eb7
                                                                                                • Instruction Fuzzy Hash: 4AF0F67170031A5BC725A65EED90EABB7EEEFC4698B008536E914C7384EF70EC008B94
                                                                                                Function 0293DC58 Relevance: .3, Instructions: 295COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0ed8ec711fc91290d69fc52970e4f292b96a502aede48b1d375fb10352f8023d
                                                                                                • Instruction ID: e690d364d6c32c263f57178a9ce6ab3594dbb9aaf88e8e176907693dee4e1c35
                                                                                                • Opcode Fuzzy Hash: 0ed8ec711fc91290d69fc52970e4f292b96a502aede48b1d375fb10352f8023d
                                                                                                • Instruction Fuzzy Hash: 17C1F635A0120A9FCF11CF98C9949AEBBB6FF49314B248499E915AB360D731ED15CFA0
                                                                                                Function 029341DF Relevance: .3, Instructions: 254COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7cf21928c38f4a367b04da54234faf1ee158ffcb044fcb51edccf21c53d18730
                                                                                                • Instruction ID: b9825c788efe4dc3ad2bfcf705c6f50233b3043c1f30507b4d8e4a0d06b9792f
                                                                                                • Opcode Fuzzy Hash: 7cf21928c38f4a367b04da54234faf1ee158ffcb044fcb51edccf21c53d18730
                                                                                                • Instruction Fuzzy Hash: C7A13E78B002059FD715DF69DA98A6EBBF2FB88304B159529E90ADB394DF70DC05CB40
                                                                                                Function 029341F0 Relevance: .2, Instructions: 247COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 355ff623e85f51d74d628e7b73ff8659b680da2a7ba538cdfd3ba10dfa826168
                                                                                                • Instruction ID: 0c213e6d5c2dc7ed1c8cf7e358c7a2bcc56a27cf62a914233370da8f85860279
                                                                                                • Opcode Fuzzy Hash: 355ff623e85f51d74d628e7b73ff8659b680da2a7ba538cdfd3ba10dfa826168
                                                                                                • Instruction Fuzzy Hash: F2913D78B002059FD745EF69DA98A6EBBF2BF88304B119529E90ADB394DF70DC05CB40
                                                                                                Function 02935EE0 Relevance: .2, Instructions: 220COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a733634cc853097c9ff73eab6d2835f1b7a27ef562a529ac81282d3973fc9fb1
                                                                                                • Instruction ID: d456aeb182283c75e4e19ec01a9c0d71415dcad0daf9c7793c0439ce0608b873
                                                                                                • Opcode Fuzzy Hash: a733634cc853097c9ff73eab6d2835f1b7a27ef562a529ac81282d3973fc9fb1
                                                                                                • Instruction Fuzzy Hash: 6A914B34A003198FCB15DF69D944A9EBBF6EF89354B108529E805DB358EB70ED06CF84
                                                                                                Function 02936E68 Relevance: .2, Instructions: 199COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7c18313ea573c56fcaaa5311cc1389ab9dfc91d110db94441c72650b51c3c801
                                                                                                • Instruction ID: 2fba187bff0e0e951976303e83433b37545ae136b8b73cc1639d7a8c802082da
                                                                                                • Opcode Fuzzy Hash: 7c18313ea573c56fcaaa5311cc1389ab9dfc91d110db94441c72650b51c3c801
                                                                                                • Instruction Fuzzy Hash: 9161AF35B002059FCB05DF69C9845AEFBF6EFC9310728856AE80AEB351DB71EC058B95
                                                                                                Function 02938A98 Relevance: .2, Instructions: 192COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2ee11876775a9d0a80847cfa2fb5737a0b94dc860c59fe9c8dad6c4606d77dcc
                                                                                                • Instruction ID: 278b7bd79cfa3945b26d8a42acfb4a8a04675bb3bfa96e5a57240218c5b489bd
                                                                                                • Opcode Fuzzy Hash: 2ee11876775a9d0a80847cfa2fb5737a0b94dc860c59fe9c8dad6c4606d77dcc
                                                                                                • Instruction Fuzzy Hash: FB61E938B016159FCB15DF69D998AAEB7F6FF89305B108498E506EB360DB30ED01DB40
                                                                                                Function 0293D530 Relevance: .2, Instructions: 158COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 38a363b4026a0fb6ea4ca0b78f18eb1c33e93d590104fe5d0cd73c97064f59ef
                                                                                                • Instruction ID: 021def767fb0500a0243690c90f3d035076f1ea15cd0fc2678d520f85d384da4
                                                                                                • Opcode Fuzzy Hash: 38a363b4026a0fb6ea4ca0b78f18eb1c33e93d590104fe5d0cd73c97064f59ef
                                                                                                • Instruction Fuzzy Hash: C951F235B002098BCB06DF69C558BAEBBEAFFC5358F108469E809DB344DB35DD058BA1
                                                                                                Function 029364C2 Relevance: .2, Instructions: 153COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8150047c47aa269c18ebb6e30daf4a5dfcad8e7839c5f12b73e3b3ab2866f9db
                                                                                                • Instruction ID: ec2187c43ad088e0de14b36a70b21c175596afa2c2a983db6680aa84c535a0e1
                                                                                                • Opcode Fuzzy Hash: 8150047c47aa269c18ebb6e30daf4a5dfcad8e7839c5f12b73e3b3ab2866f9db
                                                                                                • Instruction Fuzzy Hash: 0C512C35A106198FCB44CFA9C98499EBBF6FF89700B254169E505EF321DBB1AD05CB40
                                                                                                Function 029361F0 Relevance: .1, Instructions: 138COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7254cf2c24dfafac12de68ffa4c14ffb5dbec72bd31dbf3a7492e93b965f1421
                                                                                                • Instruction ID: 8667678ec38c3a96840ffc1542dd0137e9ecf87e20a116b7647b8fb5175ca461
                                                                                                • Opcode Fuzzy Hash: 7254cf2c24dfafac12de68ffa4c14ffb5dbec72bd31dbf3a7492e93b965f1421
                                                                                                • Instruction Fuzzy Hash: D6518F34E103099FCB04EFA8D958B9DBBF2FF98304F108519E505AB394DB75A945CB94
                                                                                                Function 02938DA8 Relevance: .1, Instructions: 136COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c14e786afc292e1507e33b37ff3e39d84b0aeaca1470c588bfe1711dec73a69b
                                                                                                • Instruction ID: a96ec896afd5f8342b7feb1debbf7e3d62fd572cf8920518d8e0226b88eb5ab4
                                                                                                • Opcode Fuzzy Hash: c14e786afc292e1507e33b37ff3e39d84b0aeaca1470c588bfe1711dec73a69b
                                                                                                • Instruction Fuzzy Hash: 08512E346002118FCB29DF29C9986677BF6FF49325B0085A8E815DF3A9D730E816CF91
                                                                                                Function 029361E0 Relevance: .1, Instructions: 132COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8e3eaeacb4b332f49367f060299166e7d23574f87756d1740351961b55d3dc7e
                                                                                                • Instruction ID: fdfb25ac33e8f5824516ec9e954ae41b6e54acca8084a0d8fb90fa62ebaa02ba
                                                                                                • Opcode Fuzzy Hash: 8e3eaeacb4b332f49367f060299166e7d23574f87756d1740351961b55d3dc7e
                                                                                                • Instruction Fuzzy Hash: 27515A34E102099FDB00EFA8DA48BDDBBF2EF98304F108519E505BB694DB75A985CB94
                                                                                                Function 0293DAD8 Relevance: .1, Instructions: 116COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f7e90c3822997192a977d5b106d6729e06bf7ca69634baf21296ca82cd98d9be
                                                                                                • Instruction ID: f348d2d715ab64b2443e99c83a5dd87592b06e0d61ac41781f1161cea4e0c85b
                                                                                                • Opcode Fuzzy Hash: f7e90c3822997192a977d5b106d6729e06bf7ca69634baf21296ca82cd98d9be
                                                                                                • Instruction Fuzzy Hash: BE4138787002059FCB16DF59C994AAA77FAFB8C300B248059E905DF364DB31DD01CB61
                                                                                                Function 0293DEB0 Relevance: .1, Instructions: 113COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e5b3dc8ad6c42148ee511c45a1615ebbab0822f358d6dd04d919be32c722ea37
                                                                                                • Instruction ID: 3dfdcca5a38423e6d17dcce9ec66cc39b5bf603ca294c25172ed24dd6046d5db
                                                                                                • Opcode Fuzzy Hash: e5b3dc8ad6c42148ee511c45a1615ebbab0822f358d6dd04d919be32c722ea37
                                                                                                • Instruction Fuzzy Hash: 04417D3560020A9FCB02CF58C9908AABBF6FF49354B64C49DF949DB361D732E916CB90
                                                                                                Function 0293E5E8 Relevance: .1, Instructions: 112COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4bbe1cbcdc03ea3b819f93dad049ad402c18551434959383555ab801f70aec4c
                                                                                                • Instruction ID: 7ce23e3079e95bdf14bf8d18fff8d65a7cdc1555f757cee8aa861ca6c25c0d63
                                                                                                • Opcode Fuzzy Hash: 4bbe1cbcdc03ea3b819f93dad049ad402c18551434959383555ab801f70aec4c
                                                                                                • Instruction Fuzzy Hash: 8D417C346002058FCB19CF29D99866B7BB5FF89315B0485A8D8529F3EADB30E952CF91
                                                                                                Function 02934CA8 Relevance: .1, Instructions: 110COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 72f5d2f741180f00c73dbc88109e3489bfd308fa2d7b3f3b04fb9bbce7bc48b7
                                                                                                • Instruction ID: f3ddec7fe43cf39b6fb4388d4a2a8312b3d1f33b859af90154a23ed4f64dbbfd
                                                                                                • Opcode Fuzzy Hash: 72f5d2f741180f00c73dbc88109e3489bfd308fa2d7b3f3b04fb9bbce7bc48b7
                                                                                                • Instruction Fuzzy Hash: BC319234B002058FDB15DF59C558BBEBBF6AF89310F116869D416E7380DB70DC008B94
                                                                                                Function 0293897F Relevance: .1, Instructions: 102COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1633df756b1cfec671558b1b5645c3c86c7ef80708e1815247c21351910680cf
                                                                                                • Instruction ID: 332226e85bc4368ff839f9f3bf11e19096211e0eb9c81ffbe1df3c28a287cd17
                                                                                                • Opcode Fuzzy Hash: 1633df756b1cfec671558b1b5645c3c86c7ef80708e1815247c21351910680cf
                                                                                                • Instruction Fuzzy Hash: DD319076A053418FCB06DB2DD9C9ADAFFF5EF45350318846AE889CB316EA34D805CB91
                                                                                                Function 0293B9B0 Relevance: .1, Instructions: 102COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 802fa91bb74df6ab6d7380de5a0bb774511cdf9e6414c8e55c7ea4436a19cf1c
                                                                                                • Instruction ID: 792859d159de80c994f120b412f822a9bc41e853b52fd401ca6df88b5fad2b86
                                                                                                • Opcode Fuzzy Hash: 802fa91bb74df6ab6d7380de5a0bb774511cdf9e6414c8e55c7ea4436a19cf1c
                                                                                                • Instruction Fuzzy Hash: 4D31F1317006511BC302B67A9AA47DF7BEBDFC5368754862AC906CB744EE34DC068BD1
                                                                                                Function 0293A570 Relevance: .1, Instructions: 100COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d869c74164b20a61e8b8cd25176c4efe112c6f379b14dc0d0b2fe908e675ba8d
                                                                                                • Instruction ID: e7c8d4a0915aba456db3d6c670ad20cd4e38a2e532257b598d2fc49b5f40b821
                                                                                                • Opcode Fuzzy Hash: d869c74164b20a61e8b8cd25176c4efe112c6f379b14dc0d0b2fe908e675ba8d
                                                                                                • Instruction Fuzzy Hash: D8412E35D0024D9FDB02DFA8C6509EE7FB2BF89704F1085A6C516AB254EA345D0ACFA2
                                                                                                Function 02930A10 Relevance: .1, Instructions: 100COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f82418c26171c131a372d1d423afdbacf22f845bc6625b19fdfef90440ea93fb
                                                                                                • Instruction ID: d133ca23c7b3048dcbfe4163e9dce6cd04d326e950d09e7c6cb6d0e4df9dd1db
                                                                                                • Opcode Fuzzy Hash: f82418c26171c131a372d1d423afdbacf22f845bc6625b19fdfef90440ea93fb
                                                                                                • Instruction Fuzzy Hash: 8A418D74E012199FCB18DFAAD944AEEFBF6BF88300F14912AD818A7354DB309902CF50
                                                                                                Function 0293E7D0 Relevance: .1, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 924ffdfeef2136adb117638c75c5db7422d09d7e27d344f08f5c5f52cdc2aaca
                                                                                                • Instruction ID: 3f29bad7b71b303a9b6a2274b81b4823268810f07dfba4ee360cca1475f8270e
                                                                                                • Opcode Fuzzy Hash: 924ffdfeef2136adb117638c75c5db7422d09d7e27d344f08f5c5f52cdc2aaca
                                                                                                • Instruction Fuzzy Hash: 63314E34A006058FC735CF2AC848A9AB7F6EF49315B148A69D5929B7A0D731E946CF90
                                                                                                Function 02939140 Relevance: .1, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e819f2b4bcb1bc7bf7514cd39065c2acd3ca6613fc4246717c8df4c9c6090db3
                                                                                                • Instruction ID: 14e8286174d46173151d069a7c2a71bf3031dc822ed95087e940c13152e48873
                                                                                                • Opcode Fuzzy Hash: e819f2b4bcb1bc7bf7514cd39065c2acd3ca6613fc4246717c8df4c9c6090db3
                                                                                                • Instruction Fuzzy Hash: 9F31FA34A00B018FD735DF6AC84866AB7F6BF89314B144A28D496DB7A4D770E946CF80
                                                                                                Function 02938FC0 Relevance: .1, Instructions: 84COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2afacf2be619bac109814e8dab05c34a02daaa28ec7bc7eda89adaa512a17f25
                                                                                                • Instruction ID: b715448f383740ca5870208d2006760221bd64edbc58ae1d8f1d94bbd46a290e
                                                                                                • Opcode Fuzzy Hash: 2afacf2be619bac109814e8dab05c34a02daaa28ec7bc7eda89adaa512a17f25
                                                                                                • Instruction Fuzzy Hash: 11312B74A007018FD730CF2AC84866AB7F5EF89324B108A2CD496DB7A0D771E946CF80
                                                                                                Function 0293A5A0 Relevance: .1, Instructions: 82COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d7e38b99185d74bad41908eb6f811859c8648bd2fa460344efa84446dc4e7254
                                                                                                • Instruction ID: d6e86b8d0344b74203410943d5e4ced0006d11bd40920faeea4ddf167f10b980
                                                                                                • Opcode Fuzzy Hash: d7e38b99185d74bad41908eb6f811859c8648bd2fa460344efa84446dc4e7254
                                                                                                • Instruction Fuzzy Hash: 2D311E34E0024D9FDB02EFA9C694AEE7BB2FF49704F108565C616AB254DB309906CFA1
                                                                                                Function 0293B9E8 Relevance: .1, Instructions: 80COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1700e044b57a550371939c18507b9800baa40dbc23ebf6d9bdca42593c281e7e
                                                                                                • Instruction ID: faf5dc08c24f2798da168386616dca119c04374d248483e3e58ef5c6347dd0dd
                                                                                                • Opcode Fuzzy Hash: 1700e044b57a550371939c18507b9800baa40dbc23ebf6d9bdca42593c281e7e
                                                                                                • Instruction Fuzzy Hash: 4F21F934710B151B8712B7BAA6A4A9F77EBDFC4358350862AD906CB744EF70DC068BE1
                                                                                                Function 02936E40 Relevance: .1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 03b2d53e43112593b783e7784db262b2e533a6673f55c3fc0662c6bdccfe04d1
                                                                                                • Instruction ID: 081049906e4f4db04bc81d8d1e025516876d99b2af82eb0e4025b61d9c5a25b3
                                                                                                • Opcode Fuzzy Hash: 03b2d53e43112593b783e7784db262b2e533a6673f55c3fc0662c6bdccfe04d1
                                                                                                • Instruction Fuzzy Hash: 3F21A4367043045FCB169A39D9546DABFF7EFC6210B1881ABD805DB355DE30EC098B95
                                                                                                Function 029392B8 Relevance: .1, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0ebed72a603a117b12d5063f24424d5092cd7be0bc34428a318071b5b66f2c20
                                                                                                • Instruction ID: 6e9191082d910a307e4583a478992a258bbc48931786651b15758218441df01b
                                                                                                • Opcode Fuzzy Hash: 0ebed72a603a117b12d5063f24424d5092cd7be0bc34428a318071b5b66f2c20
                                                                                                • Instruction Fuzzy Hash: 73214B70A057028BE735DF29D9487ABBBFABF88310B144A2CD466C72D4D7B1E905CB91
                                                                                                Function 029353C8 Relevance: .1, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bc9022b27a001b4dd2c65122970774064350dff73a67346a35a4d98bb19bdbfa
                                                                                                • Instruction ID: 332e912d2fc675d2d21cb0a5fe02e14fa8716ccdadde33cc2bdf1084cb0fb422
                                                                                                • Opcode Fuzzy Hash: bc9022b27a001b4dd2c65122970774064350dff73a67346a35a4d98bb19bdbfa
                                                                                                • Instruction Fuzzy Hash: 1E218E30600205CBCF19DF68D9C8A9A7BB9EF8C335B054568D819AF2D5DB31D865CBE1
                                                                                                Function 02930A00 Relevance: .1, Instructions: 68COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7a760ce8df58773f5242c25fb265cb5b852e1cc72a1ca098b74511c7f676bf32
                                                                                                • Instruction ID: 9821d14d489d682024bdc798f73bb5a54cfdf981b09ed713823c7489b9f35e8c
                                                                                                • Opcode Fuzzy Hash: 7a760ce8df58773f5242c25fb265cb5b852e1cc72a1ca098b74511c7f676bf32
                                                                                                • Instruction Fuzzy Hash: C0210575E012588FDB19CFAAD9446EEFBF6AFC9300F08C06AD814B7255DB345945CB50
                                                                                                Function 0293D078 Relevance: .1, Instructions: 65COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: baf32e7c430ad1f2fcc56611da2a516bbdae6bc092b0ffc4f66e76af9100805b
                                                                                                • Instruction ID: 4f60a76cd8bae833153a6c7a09c505320437ce86d73adb536d09436ada9b0c72
                                                                                                • Opcode Fuzzy Hash: baf32e7c430ad1f2fcc56611da2a516bbdae6bc092b0ffc4f66e76af9100805b
                                                                                                • Instruction Fuzzy Hash: 6A11B47A3042108FDB1ACB68D590B6ABBF7FBCC3147208469D459CB341DB31D8028B60
                                                                                                Function 02934E70 Relevance: .1, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 653bd2873c8657cb5018641ecb9c03d29a6f4b61a383d9562d508ed2be0d6192
                                                                                                • Instruction ID: d907c512044844200e697830ba810552ce58c7d3863aa936f6b85059cc35f69d
                                                                                                • Opcode Fuzzy Hash: 653bd2873c8657cb5018641ecb9c03d29a6f4b61a383d9562d508ed2be0d6192
                                                                                                • Instruction Fuzzy Hash: F3216A346007058FC735DF26C948A9ABBF5EF44320B048A2CD4669B6E0DB31F94ACF80
                                                                                                Function 0293D088 Relevance: .1, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2239b4140f63d84ce67607a94c38828458fcba041da1f1d54245249b0bec1711
                                                                                                • Instruction ID: bbccff7fc8a3d2cb7cbfb690c1ca651d4d839c8ed2681abf37d8ca76321a6efa
                                                                                                • Opcode Fuzzy Hash: 2239b4140f63d84ce67607a94c38828458fcba041da1f1d54245249b0bec1711
                                                                                                • Instruction Fuzzy Hash: 53116D393002149FCB19DBA9D954A2ABBFBFBCC3147208429E55ACB340DB32EC018B61
                                                                                                Function 02930839 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1c007425267fa811d48ea72ea85b8d64050d4435803b22277697a11ffdf42579
                                                                                                • Instruction ID: 1c8bde9d518777f62c6bcb587f4e8baf55f2500afd579cf180b0e38ea85f97d7
                                                                                                • Opcode Fuzzy Hash: 1c007425267fa811d48ea72ea85b8d64050d4435803b22277697a11ffdf42579
                                                                                                • Instruction Fuzzy Hash: A8115E78E002099FCB04DFA9D454AAFFBF1EF88300F008469D915A7351DB31A914CF55
                                                                                                Function 02930848 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9520cf2550efa5a305096d5af24c386522f7ca1d9a19990275808634890f2aff
                                                                                                • Instruction ID: 5d2c891e3a56849e43f55c90551b2957ca94ea2e9c2eb62dfa2175f070e34d3e
                                                                                                • Opcode Fuzzy Hash: 9520cf2550efa5a305096d5af24c386522f7ca1d9a19990275808634890f2aff
                                                                                                • Instruction Fuzzy Hash: EF11E878E002099FCB04DFA9D5549AEFBF2EF88300F108469D919A7390DB35AA15CF95
                                                                                                Function 0285D01D Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730008385.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_285d000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 92e715a969096302f812b5c521f194112a92cccf67ae82958f9c6279b8b4d4e7
                                                                                                • Instruction ID: 78983b70a5674d9e64dc0bb95c727bccdc8380622a417d10e2af197b5f35565c
                                                                                                • Opcode Fuzzy Hash: 92e715a969096302f812b5c521f194112a92cccf67ae82958f9c6279b8b4d4e7
                                                                                                • Instruction Fuzzy Hash: 5F01F7794043549AE7108E2ACD84763FFE8DF41328F18C05ADD488B242C3799845C7B1
                                                                                                Function 0285D005 Relevance: .0, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730008385.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_285d000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0a346e45292f3edbb69b36ed1636751fca97087dc393135c6d0c9c779baa2afc
                                                                                                • Instruction ID: 997c27a563c4b18db6be7e48ba8b143bdb9ed35964c4d3925451e734ec74b10e
                                                                                                • Opcode Fuzzy Hash: 0a346e45292f3edbb69b36ed1636751fca97087dc393135c6d0c9c779baa2afc
                                                                                                • Instruction Fuzzy Hash: 5C015E6540D3C09EE7168B258C94B52BFF4EF53224F18C1DBDD888F293C2699849C772
                                                                                                Function 0293FB12 Relevance: .0, Instructions: 40COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2cdeb2aae403d20d87672ec87ccf583b2a5baefe0e30f97fcb161473805931f0
                                                                                                • Instruction ID: 6d251bdecc6d48c2444f91067f460f3c65788bb6f85d7dae9b0247cdd4d82b08
                                                                                                • Opcode Fuzzy Hash: 2cdeb2aae403d20d87672ec87ccf583b2a5baefe0e30f97fcb161473805931f0
                                                                                                • Instruction Fuzzy Hash: 57F0F6367001146BC314A65AD895E6BFBAAEBC8260B14812AE909CB385DD72DC0283A4
                                                                                                Function 029318C8 Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d8422638028ce6573a4e68c93f538c4f7d4d3575c30522a195d725e9647cfe10
                                                                                                • Instruction ID: 4a9f3b21f0b063adbf4fa0319e799dab711a886f3e1b7128a27f61a953ca9231
                                                                                                • Opcode Fuzzy Hash: d8422638028ce6573a4e68c93f538c4f7d4d3575c30522a195d725e9647cfe10
                                                                                                • Instruction Fuzzy Hash: 42F0C2393043550BC723A739B42865FBBE5EFCA2167004569D94ACB751DF24A8148791
                                                                                                Function 0293FAF0 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e091e8bc53277c2fa1e05be9362395b8cf5f799c5764e566afb7e447a21a204c
                                                                                                • Instruction ID: 0b63ffd8d8cb65f3fdcdba2cf69628c8637c3e2c6fdab801b46fce511b3a52c6
                                                                                                • Opcode Fuzzy Hash: e091e8bc53277c2fa1e05be9362395b8cf5f799c5764e566afb7e447a21a204c
                                                                                                • Instruction Fuzzy Hash: 80F0E53A7001145BD705EA58D895BAFB7A7EBD8354F54841BD9098B784CE76DC038790
                                                                                                Function 02935960 Relevance: .0, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3b1c7f242718309df8c3466924fca784b4d2d3c5e79bbd1a0d29ffc53783d83e
                                                                                                • Instruction ID: ee6a64eb5d0b8c5c34ec24ca994966180c87043fac793d3be177d9881e01e1f1
                                                                                                • Opcode Fuzzy Hash: 3b1c7f242718309df8c3466924fca784b4d2d3c5e79bbd1a0d29ffc53783d83e
                                                                                                • Instruction Fuzzy Hash: 43F0A79388E3C45FD70383688D616913F74CB17299B8E41D7D888DF2B3E2199D0AD762
                                                                                                Function 0293BEB1 Relevance: .0, Instructions: 32COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a76d85fb39b260b1fb6c83411b4d0cf3db1b90d25418673a7b501ff07ebe6c1c
                                                                                                • Instruction ID: 5cce467e8f83e29b148716b678ae607c0f39faf9dce3da6f8fae96f77e0ebc35
                                                                                                • Opcode Fuzzy Hash: a76d85fb39b260b1fb6c83411b4d0cf3db1b90d25418673a7b501ff07ebe6c1c
                                                                                                • Instruction Fuzzy Hash: EBF06D70D4021A9FCB65DF6CC8957AEBBF4EB04224F604A69D120E3791D374C5418F90
                                                                                                Function 029318D8 Relevance: .0, Instructions: 31COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 17a6dd3177f0b8d67aa66ea0cff81e741d99f74a961984df82047f48d3143e40
                                                                                                • Instruction ID: 15c123e2ba95812e746f6de394bcd9e5c460008bdf17b53035b0cde3bbee7343
                                                                                                • Opcode Fuzzy Hash: 17a6dd3177f0b8d67aa66ea0cff81e741d99f74a961984df82047f48d3143e40
                                                                                                • Instruction Fuzzy Hash: 61F0823D3002154B8716A729F50895E77E6EBC92663008529E50ED7754EF60EC0487D1
                                                                                                Function 0293BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3df8e0a90babcac4df43a566a8e64f055333be222283224f76dd03aff1eea4af
                                                                                                • Instruction ID: 763cd40c082a6e9d45fe9bad722d0ddf1c3d90b064e36b9c349a9b9681d7f84a
                                                                                                • Opcode Fuzzy Hash: 3df8e0a90babcac4df43a566a8e64f055333be222283224f76dd03aff1eea4af
                                                                                                • Instruction Fuzzy Hash: 5FF01770D0020A9FDB64EFACC855A6EBBF4AB08228F204A69D528E7291D77086418FD1
                                                                                                Function 0293BF29 Relevance: .0, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 91fd17ad11ee71a56a9908a9d61f42b4147662312fd7e4631d76b018ef6ee1e4
                                                                                                • Instruction ID: 314e812fb5ca5b3c3c29ef9e6eb6ec3f78409041f872202e69040336a9fb7f5b
                                                                                                • Opcode Fuzzy Hash: 91fd17ad11ee71a56a9908a9d61f42b4147662312fd7e4631d76b018ef6ee1e4
                                                                                                • Instruction Fuzzy Hash: 40F05EB0D0021A9FCB50EF68C5567AEBFF4AB04214F50496AE014E3291D7788540CFC1
                                                                                                Function 0293BF38 Relevance: .0, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 46ba3860afd9ba3b365d14ddacb2c07a4f49c439f6d25fecde5b1f8136c8e6f7
                                                                                                • Instruction ID: d2ca475353edea04bafa00191112ceba122950429a207d812f794ca5a03cec8b
                                                                                                • Opcode Fuzzy Hash: 46ba3860afd9ba3b365d14ddacb2c07a4f49c439f6d25fecde5b1f8136c8e6f7
                                                                                                • Instruction Fuzzy Hash: 40F03770D0020DDFCB54EFA8D5556AEBFF4EB08314F100665D418E3291D77085408FC1
                                                                                                Function 0293D708 Relevance: .0, Instructions: 24COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 44674b49e1755fd91445bcb258e458622ee532f98a2cee5129509e4b7b1885f8
                                                                                                • Instruction ID: 5d531ff37b2760b05868c1dcacfd674e2dcb017d36b35e183a418814ed913d31
                                                                                                • Opcode Fuzzy Hash: 44674b49e1755fd91445bcb258e458622ee532f98a2cee5129509e4b7b1885f8
                                                                                                • Instruction Fuzzy Hash: 83E0ED70E05208AFCB58DFA9D58969DBFB4EB48310F5085A9D409D7350EA349A45CB81
                                                                                                Function 02930E70 Relevance: .0, Instructions: 22COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e71682076a65840a96aea8756f883ef5bba906c864bfca5de5db6f011ba96982
                                                                                                • Instruction ID: eac22377beb75a1bf5c0d5ffd9c36977c42a859b7cc97f7932b0e715191cd885
                                                                                                • Opcode Fuzzy Hash: e71682076a65840a96aea8756f883ef5bba906c864bfca5de5db6f011ba96982
                                                                                                • Instruction Fuzzy Hash: 40E0D834D05288EFC751DFB8D5554EC7FB1EF8630471084D9D444EB252DA315E0ADB40
                                                                                                Function 02935911 Relevance: .0, Instructions: 21COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e972aaae1878ed2d8ae4a411f6ae43e420d8b069d30fa6d7b8999b3b2f9056b0
                                                                                                • Instruction ID: 618217a4a42056edc9e1a41eca71443cf0c49075953222b715f2e95d0f037b40
                                                                                                • Opcode Fuzzy Hash: e972aaae1878ed2d8ae4a411f6ae43e420d8b069d30fa6d7b8999b3b2f9056b0
                                                                                                • Instruction Fuzzy Hash: E2E02630D8430CAFC700DBB8D9405CDBFB5DB41218B2040E9EC09E7250EA701E01CB40
                                                                                                Function 0293D718 Relevance: .0, Instructions: 19COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 11e0fab359add7528dd380c3921ab701eb35d5d39e9a1b2e6df3675d8e80d6f7
                                                                                                • Instruction ID: 641e2aa672e17cc6318913aab08492fb90d6440ffd63aa1fd5b7def2527471d9
                                                                                                • Opcode Fuzzy Hash: 11e0fab359add7528dd380c3921ab701eb35d5d39e9a1b2e6df3675d8e80d6f7
                                                                                                • Instruction Fuzzy Hash: 0BE0B670E0520CAFCB48EFA9D54949DBFF5AB88300F4085A9E809E7350EB346A04CF81
                                                                                                Function 0293BF8F Relevance: .0, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 82c4b42744a0611d977798b73a329acd24a7b3b1f168555035767c93e028a7d3
                                                                                                • Instruction ID: cde1be5d40f6efb0189cba418a144dc34285ac5965e665e0670de2e657d14d79
                                                                                                • Opcode Fuzzy Hash: 82c4b42744a0611d977798b73a329acd24a7b3b1f168555035767c93e028a7d3
                                                                                                • Instruction Fuzzy Hash: EED02E3120030043EB046E25C90836A3BE8EB843A8F780628E4A487AC2EB2AC40346E4
                                                                                                Function 02930E80 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c19faf60a43c9ac75cf92318b64f34d7312ed929216be310805b00dc25e1ab12
                                                                                                • Instruction ID: 403d9e37da599e61030e47136f32241e71448fb99110be0dbe50f5ffee3452d7
                                                                                                • Opcode Fuzzy Hash: c19faf60a43c9ac75cf92318b64f34d7312ed929216be310805b00dc25e1ab12
                                                                                                • Instruction Fuzzy Hash: 04D05B78D0020CEFC750DFB8DA0455DB7F5DF84244B108599D808D7304DA316F00DB81
                                                                                                Function 02935920 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5d7a923589da8ee9e68de3eae61286fe894614437cb59ce2d18f5b58135d7d13
                                                                                                • Instruction ID: 723c7c59111d21100a5a40e3bd1ff2a503a9be55a998b8500c991eaa9c97ba8b
                                                                                                • Opcode Fuzzy Hash: 5d7a923589da8ee9e68de3eae61286fe894614437cb59ce2d18f5b58135d7d13
                                                                                                • Instruction Fuzzy Hash: 17D05B3094130CEFC704DFA8DA4159DBBF5DB4520471041A9E809D7210DA715F01DB55
                                                                                                Function 02939D98 Relevance: .0, Instructions: 12COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5d05cc7b21ea1c029f0dc45ad0aa2e7d3ffbafff0882b5b37f8fa3c34fe60fde
                                                                                                • Instruction ID: 3fb0570a3b8b3dbcc7b9e3b5a99c8f5b5f194c965b7374ff7629534c9a3bad83
                                                                                                • Opcode Fuzzy Hash: 5d05cc7b21ea1c029f0dc45ad0aa2e7d3ffbafff0882b5b37f8fa3c34fe60fde
                                                                                                • Instruction Fuzzy Hash: 64C0C0301883C80FC30133A0EE0EF823F3C560110C38500C7EC484B5A3D4048482C385
                                                                                                Function 02939D70 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 81bece7b104cbd7b439ee2c9dac498406bd916388bd598073175a9c47feaf10d
                                                                                                • Instruction ID: 188e11bea03d42a6b4b01554caf538c49d446f4b9f4ed969c488e7ff9de7cd01
                                                                                                • Opcode Fuzzy Hash: 81bece7b104cbd7b439ee2c9dac498406bd916388bd598073175a9c47feaf10d
                                                                                                • Instruction Fuzzy Hash: 28C080515440914BC6027250AD11BC13B55E751355F8D04A5D049CB133D14CCC808640
                                                                                                Function 0293D6F0 Relevance: .0, Instructions: 9COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c1997bc2582cde1e1bda478c22e091f79c52a6e7ecf25271acbd30d25a022aba
                                                                                                • Instruction ID: 9d7c0236601f15e662f4f3e43f25686d07a7babe2ded5abf84d0d20e6207429a
                                                                                                • Opcode Fuzzy Hash: c1997bc2582cde1e1bda478c22e091f79c52a6e7ecf25271acbd30d25a022aba
                                                                                                • Instruction Fuzzy Hash: 4CB0927190530CAF8650DE9A9A4581ABBACDA4A210B9001D9E90887310EA72A91056D1
                                                                                                Function 02939DA8 Relevance: .0, Instructions: 7COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.11730950460.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_2930000_SecuredOnedrive.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 80379bf8b16e2dcad7f5a732d851f3d8051be043e6cd6142db1e447b3fb967aa
                                                                                                • Instruction ID: 1dfd9e1e0e095af4ae9ea6b6978f1ca88be4c6afe3132d4f5ba592256d7bc2d1
                                                                                                • Opcode Fuzzy Hash: 80379bf8b16e2dcad7f5a732d851f3d8051be043e6cd6142db1e447b3fb967aa
                                                                                                • Instruction Fuzzy Hash: 85B0123010034E4BC7107765FB0EF443F6D654024D3804010E90C075289D6064918AC9

                                                                                                Executed Functions

                                                                                                Function 05471080 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Feb$nitialized
                                                                                                • API String ID: 0-3247608740
                                                                                                • Opcode ID: 300f8875ff32a575aba7653b5ae0c3fca74b4f1ef398ac0eea7fbbea51266ada
                                                                                                • Instruction ID: 97c841243d4f8bc4fd895b29f43c2f3662472e164f6a9b36be6e4de9b458bbe2
                                                                                                • Opcode Fuzzy Hash: 300f8875ff32a575aba7653b5ae0c3fca74b4f1ef398ac0eea7fbbea51266ada
                                                                                                • Instruction Fuzzy Hash: DA718235B001189FDB199B65C958AEEBBF7FFC8600F15802AD506AB3A4DE71DC02CB91
                                                                                                Function 054728E4 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r, xrefs: 054730AB, 054730B7, 054730C7, 054730F1
                                                                                                • t Visual C++ Runtime Library, xrefs: 054728E4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r$t Visual C++ Runtime Library
                                                                                                • API String ID: 0-1298737019
                                                                                                • Opcode ID: 10ec5b9320cd2fa79b03da1c05c465768fc4beb6a1a221128f93b7de8d228eb1
                                                                                                • Instruction ID: f76bb8698deecf1e4e6820c2055a0962e2eddd623a19ea71784e8925f6f77ec9
                                                                                                • Opcode Fuzzy Hash: 10ec5b9320cd2fa79b03da1c05c465768fc4beb6a1a221128f93b7de8d228eb1
                                                                                                • Instruction Fuzzy Hash: 4A414935B0421CAFDF04AA65D845BEB7FA6EF89220F1480ABE805A7365DF758841D790
                                                                                                Function 054728D4 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Program: $t Visual C++ Runtime Library
                                                                                                • API String ID: 0-645196101
                                                                                                • Opcode ID: 0867d12779dbec49086e0a43fdaf1fe8fe941faf48f540eccc17d584d1391798
                                                                                                • Instruction ID: 83bd4fc92e22dd39182926e6f5769356a2e57f4477006e5e5c2cc35f950f3d01
                                                                                                • Opcode Fuzzy Hash: 0867d12779dbec49086e0a43fdaf1fe8fe941faf48f540eccc17d584d1391798
                                                                                                • Instruction Fuzzy Hash: 4F112939B0871C0BEB14617558287FA6A9A9F86610F0444EFE916C7796DFD6C80123D2
                                                                                                Function 05471440 Relevance: 2.5, Strings: 2, Instructions: 48COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r, xrefs: 05471452, 0547149C
                                                                                                • use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the, xrefs: 05471487, 0547148C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r$use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the
                                                                                                • API String ID: 0-2178476583
                                                                                                • Opcode ID: 58d306af509dfcac033aacd1cbd39e2453f78b3f96f2f5a4b671985797b67770
                                                                                                • Instruction ID: b507fd6184154b1fdefc44e5db436a926d56e4a3e3935a901fad9106f8e581e9
                                                                                                • Opcode Fuzzy Hash: 58d306af509dfcac033aacd1cbd39e2453f78b3f96f2f5a4b671985797b67770
                                                                                                • Instruction Fuzzy Hash: B501D830A2D3854FCF1EAB7496265E63FF6AEC160131508EFC556CB2A2FD149905D391
                                                                                                Function 05471431 Relevance: 2.5, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r, xrefs: 05471452, 0547149C
                                                                                                • use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the, xrefs: 05471487, 0547148C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r$use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the
                                                                                                • API String ID: 0-2178476583
                                                                                                • Opcode ID: 62db7d76797524f5b1dd7ad98f56587beac051537c9f4d450bbd83dcb8e898a8
                                                                                                • Instruction ID: 03d7ffb1dbee1eb89f69d88d183b441a8de42dce290f5e2c17aee4183bc3ce8b
                                                                                                • Opcode Fuzzy Hash: 62db7d76797524f5b1dd7ad98f56587beac051537c9f4d450bbd83dcb8e898a8
                                                                                                • Instruction Fuzzy Hash: 05F0F630E2C2458BDF0EABB495265EA3FF6AAC120530104EFC546CF2A2FD609A00D780
                                                                                                Function 054780C2 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: d
                                                                                                • API String ID: 0-2564639436
                                                                                                • Opcode ID: 6b0c4fe48fcf28fea76ba617c7dc1fe14dfc18fc8618728eb0bd9038e31a0574
                                                                                                • Instruction ID: 33a7b7a23f78ccd1cc9b8756f606473179665ead344a047eeef0079bb5e06703
                                                                                                • Opcode Fuzzy Hash: 6b0c4fe48fcf28fea76ba617c7dc1fe14dfc18fc8618728eb0bd9038e31a0574
                                                                                                • Instruction Fuzzy Hash: 7CB13D75A00609DFCB44DF68C588A99B7B2FF49310F118299E909AB365DB31ED85CF80
                                                                                                Function 05476508 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4Y3q
                                                                                                • API String ID: 0-3993600335
                                                                                                • Opcode ID: 132c4b199fc2f229fb29171d4dd467545da4bbc5edb2202838679c595e1ec4e9
                                                                                                • Instruction ID: 1012bf658b9112e7494b3ad2ae3ff77eb8947ffc71e43352e24acfd49b31970f
                                                                                                • Opcode Fuzzy Hash: 132c4b199fc2f229fb29171d4dd467545da4bbc5edb2202838679c595e1ec4e9
                                                                                                • Instruction Fuzzy Hash: DC81C234B106198FDB149B64E468BEEBBB3BF84714F11856EE40A97381DF359C49CB90
                                                                                                Function 05470E8C Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the, xrefs: 054720FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the
                                                                                                • API String ID: 0-4060562810
                                                                                                • Opcode ID: 23a1a07b6e75391c90875fda76eec4611333d3edab53a5c765c00ed503527064
                                                                                                • Instruction ID: f53a2cf11880bbe77464ea6186b4d32dd0bc7b610e617006e2bff978f63bc16c
                                                                                                • Opcode Fuzzy Hash: 23a1a07b6e75391c90875fda76eec4611333d3edab53a5c765c00ed503527064
                                                                                                • Instruction Fuzzy Hash: 28410A35B041185BDB18E66988997EF6BABEFC8610F10802FD907E7380CF759D0687E1
                                                                                                Function 0547105F Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: nitialized
                                                                                                • API String ID: 0-1155403791
                                                                                                • Opcode ID: d4f06037ee4fe90f4b0e548ed61eb5a6e0e881272f6c2066d0ee106f09f6fec1
                                                                                                • Instruction ID: 56cbafd8265a4867ad13c87407aa562d0050be70c2de554d7dc56e3e83d2c59d
                                                                                                • Opcode Fuzzy Hash: d4f06037ee4fe90f4b0e548ed61eb5a6e0e881272f6c2066d0ee106f09f6fec1
                                                                                                • Instruction Fuzzy Hash: A521F632B001589BDB188A659995BFF7BAAEB88251F04506BD946CB394DF30DD02C791
                                                                                                Function 05479441 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r
                                                                                                • API String ID: 0-3091989154
                                                                                                • Opcode ID: 5cfdcd2c138ce8f74aa9534f6dfa108293e608397121886d5b5edf0318edcf96
                                                                                                • Instruction ID: 559d2f6ce78778063679d20eabcabb9ef7c1931e8164883440213a6bd4aa2965
                                                                                                • Opcode Fuzzy Hash: 5cfdcd2c138ce8f74aa9534f6dfa108293e608397121886d5b5edf0318edcf96
                                                                                                • Instruction Fuzzy Hash: 59210A74F14208AFCB08EB64D856AE97BB6EF89311F14805BD815A7392DF789D41C7A0
                                                                                                Function 0547306F Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r, xrefs: 054730AB, 054730B7, 054730C7, 054730F1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r
                                                                                                • API String ID: 0-3091989154
                                                                                                • Opcode ID: c163a591216432648815097e8a1fe5601a7b3b960efaed8b5843d618d94a3b2c
                                                                                                • Instruction ID: 256d0100dc96dbb3e9109dcdeecbec592d4ab772d61d54ec369a03e9047d22a6
                                                                                                • Opcode Fuzzy Hash: c163a591216432648815097e8a1fe5601a7b3b960efaed8b5843d618d94a3b2c
                                                                                                • Instruction Fuzzy Hash: 0F21C334B142089BDF08EBA5C856ADE7BB3EFCC310F14846AE415A7351DF759841CB90
                                                                                                Function 05479450 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r
                                                                                                • API String ID: 0-3091989154
                                                                                                • Opcode ID: 09749b597435542b48d6ed979ecc82a42799049b0437e6391d53b950408f6436
                                                                                                • Instruction ID: ba5d7025425d082d720d0da5df62668ec6d0076a0569610677386a3208438fb5
                                                                                                • Opcode Fuzzy Hash: 09749b597435542b48d6ed979ecc82a42799049b0437e6391d53b950408f6436
                                                                                                • Instruction Fuzzy Hash: E2118E34F14208ABDB08EB65D456AE97BB6EF8C311F10902AE415A7391DFB99D41CBA0
                                                                                                Function 05471958 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r, xrefs: 05471993, 054719A0, 054719B1, 054719C5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r
                                                                                                • API String ID: 0-3091989154
                                                                                                • Opcode ID: 12984604cfd5aada28ed0753fec874f5f228a6ed559847bcfd7940261fef5cda
                                                                                                • Instruction ID: e8880bcc226cf173eb74547badc3eb16cb2a30d87b6ff0c1b41781d048da3e9e
                                                                                                • Opcode Fuzzy Hash: 12984604cfd5aada28ed0753fec874f5f228a6ed559847bcfd7940261fef5cda
                                                                                                • Instruction Fuzzy Hash: EA11AC35A24204DFCB08DFA4D49AAED7FB2AF8C310F148019E406A3360DF74A941CB90
                                                                                                Function 05471968 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r, xrefs: 05471993, 054719A0, 054719B1, 054719C5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: e MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the r
                                                                                                • API String ID: 0-3091989154
                                                                                                • Opcode ID: d4414bd3f9a9aa3410f55d97c822addacd77e93d6d4c13146086f5b5674357c6
                                                                                                • Instruction ID: 97477c5afb64a573d1b18d3a418e0a06e9b26b47bb0b1ead4e042e455c280cf8
                                                                                                • Opcode Fuzzy Hash: d4414bd3f9a9aa3410f55d97c822addacd77e93d6d4c13146086f5b5674357c6
                                                                                                • Instruction Fuzzy Hash: 04116D35A24214AFDB08EFA4D85AAED7FB7AF8C310F148019E405A7361DF75A941CB90
                                                                                                Function 05477658 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: too far back
                                                                                                • API String ID: 0-177437652
                                                                                                • Opcode ID: 1508bdfdef1725a83d77c3c8516e8eabf81a7c88a99e19e286bf1ea7bfb7b052
                                                                                                • Instruction ID: 551a4de773933b29a37ab929bb83c4e9bd1e9f69f2b673370eb4e632978c2506
                                                                                                • Opcode Fuzzy Hash: 1508bdfdef1725a83d77c3c8516e8eabf81a7c88a99e19e286bf1ea7bfb7b052
                                                                                                • Instruction Fuzzy Hash: 8601F570B082485FC704E76DD8105EEBBBADF86200B10C0BAD448DB385CE369D16C7AA
                                                                                                Function 05472F80 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • t Visual C++ Runtime Library, xrefs: 05472F8B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: t Visual C++ Runtime Library
                                                                                                • API String ID: 0-2586761745
                                                                                                • Opcode ID: d8a54db063932a288f9ddd7582cce618a86db5c9d325798ebfe5d7bf422b794d
                                                                                                • Instruction ID: 53d03d1d0d622f511896f09a1fb602961483ce93d1daaa55d2074bc996fcc5c4
                                                                                                • Opcode Fuzzy Hash: d8a54db063932a288f9ddd7582cce618a86db5c9d325798ebfe5d7bf422b794d
                                                                                                • Instruction Fuzzy Hash: FDD0A73BE1422C63DF04A0A49456BFA674CC748020F000467E92DC630DDBE5880012D4
                                                                                                Function 054729C8 Relevance: .2, Instructions: 228COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c046d6cde7fbed215275338122ff06d0e96192740feee719ff0e802ce86289a5
                                                                                                • Instruction ID: f8fc607f8512b8018214119620c7b822034fa09972cbe73535a1fe41ecfea1e8
                                                                                                • Opcode Fuzzy Hash: c046d6cde7fbed215275338122ff06d0e96192740feee719ff0e802ce86289a5
                                                                                                • Instruction Fuzzy Hash: 3E916E35A00615CFCB14EF75C8989EEB7B2FF88310B14865AD959AB354EB70ED46CB80
                                                                                                Function 05476F18 Relevance: .2, Instructions: 174COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 53c407f93e423d1fd2ca3cb9c8da0e6461348129f137b7957df0b50613d1b031
                                                                                                • Instruction ID: a7ddbf9253dc4794b329ef17c20e7e9b8ad7ba35931a3caab00a3177d2150d22
                                                                                                • Opcode Fuzzy Hash: 53c407f93e423d1fd2ca3cb9c8da0e6461348129f137b7957df0b50613d1b031
                                                                                                • Instruction Fuzzy Hash: 5F61E5319053489FD702DF78D964BD9BFB2EF8A300F158187E140AB292EB35A949CB90
                                                                                                Function 05471630 Relevance: .2, Instructions: 157COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: cd65a13b76f3235a67f64a25c374e48c0fbd389d7482ac7c525c8bbd75df4938
                                                                                                • Instruction ID: e28f12de37ec8cc04095414630b4a3eeb8bb0771d8a9b005c8d33a1161dc3c81
                                                                                                • Opcode Fuzzy Hash: cd65a13b76f3235a67f64a25c374e48c0fbd389d7482ac7c525c8bbd75df4938
                                                                                                • Instruction Fuzzy Hash: 67519B35B002089FCB15DF79D9846EEBBF7EBC9610B1481AAD405E7354DA309C06CBA0
                                                                                                Function 054729BA Relevance: .2, Instructions: 151COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 71392f878541cd6822b639455f9960b91a178a4627b2a7a1d6e8a8af20ec3076
                                                                                                • Instruction ID: aae30b08919c8209f503544a8e0174640aa628103897af15c594bf59641c46f1
                                                                                                • Opcode Fuzzy Hash: 71392f878541cd6822b639455f9960b91a178a4627b2a7a1d6e8a8af20ec3076
                                                                                                • Instruction Fuzzy Hash: 58518F357002148FD714EF25D599AAEBBF7EF88610714816AE849DB355DF70EC06CB90
                                                                                                Function 054728B4 Relevance: .1, Instructions: 137COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f4bbb8c0701d89ab0817346558f66c5fdecb0e0eafbf64ff11940fb523972f55
                                                                                                • Instruction ID: 13d9c417905fd2f22d904db17abee5e4254cd4779ac3afb101023bd06404a725
                                                                                                • Opcode Fuzzy Hash: f4bbb8c0701d89ab0817346558f66c5fdecb0e0eafbf64ff11940fb523972f55
                                                                                                • Instruction Fuzzy Hash: E341E2797082195BDB08DA3998587FF3BA7EFC8604F10406AE406D7395EF75CD058394
                                                                                                Function 05476F78 Relevance: .1, Instructions: 130COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e1bde097a7fbc3da4e2fabf91f6f1542b340a924878b0b61d62e3d108cc1f982
                                                                                                • Instruction ID: 31059ad92e65f69e660ab30f8764841527478ff54db16f6615df849bcd1cf452
                                                                                                • Opcode Fuzzy Hash: e1bde097a7fbc3da4e2fabf91f6f1542b340a924878b0b61d62e3d108cc1f982
                                                                                                • Instruction Fuzzy Hash: A5515930E102099FDB05DFB8D955BDDBBB2FF88300F11815AE505BB290EB75A949CB90
                                                                                                Function 05472268 Relevance: .1, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3643217860cc125b5fe86d77e48422fab6ea3b848d2237177f9e6f2ce0915023
                                                                                                • Instruction ID: 605e4c06909f5697a784de6b8196748dc1ab4b4f189e7c9846d94e9e9e6ca4bb
                                                                                                • Opcode Fuzzy Hash: 3643217860cc125b5fe86d77e48422fab6ea3b848d2237177f9e6f2ce0915023
                                                                                                • Instruction Fuzzy Hash: 3F41E675B002189FCB54DF69D8849DEBBB6FF88310B14816AE905EB361EB31ED45CB90
                                                                                                Function 054750C2 Relevance: .1, Instructions: 103COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d87acec2e5e495663e5de3cd713a66f394a5c66327235dd8df809dc270715e4d
                                                                                                • Instruction ID: 4891579cee1dbda7d5068b92af9c285f1753f1c58ceec3db67ae0417f30f55dc
                                                                                                • Opcode Fuzzy Hash: d87acec2e5e495663e5de3cd713a66f394a5c66327235dd8df809dc270715e4d
                                                                                                • Instruction Fuzzy Hash: 24319530E14208DBDB18DB75D8587EEBBB2FF88315F14846AD402AB395DF719845CBA0
                                                                                                Function 05470C1C Relevance: .1, Instructions: 101COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3a35434e83ad66ace1db299e0b347a975f861a8201195c8594e1f3d6af0d3067
                                                                                                • Instruction ID: 396b4d863f714a85b4a118868f3f0abea62ba3f84d3a47a750c18d9517fed98f
                                                                                                • Opcode Fuzzy Hash: 3a35434e83ad66ace1db299e0b347a975f861a8201195c8594e1f3d6af0d3067
                                                                                                • Instruction Fuzzy Hash: D4310230B082485BDB19A67984693FF3BB39F89300F1494AFD406EB3C5CE694C06C791
                                                                                                Function 054750D0 Relevance: .1, Instructions: 98COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f62b56a513222a9f7bbfb831c63d011e079b793b83bac0bca5c0b9d744fd184d
                                                                                                • Instruction ID: ed18f197acf3b3cae1a76ecb5cd4227684cabcbd4d2f5d2d3919f1389efd8e0b
                                                                                                • Opcode Fuzzy Hash: f62b56a513222a9f7bbfb831c63d011e079b793b83bac0bca5c0b9d744fd184d
                                                                                                • Instruction Fuzzy Hash: CD318F30E10208DBDB189B75D9587EEBBB3FF88305F14846AD812AB395DE719845CBA0
                                                                                                Function 05476391 Relevance: .1, Instructions: 97COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 032ec8332424863e74daccae87ae9c2fa56f6ff28dafa6ba3ee73a8bef0e0e9e
                                                                                                • Instruction ID: 124d161534a301a3a34b802173cfa72e020401561065b457d01ce0f9de18459f
                                                                                                • Opcode Fuzzy Hash: 032ec8332424863e74daccae87ae9c2fa56f6ff28dafa6ba3ee73a8bef0e0e9e
                                                                                                • Instruction Fuzzy Hash: BB41B778A015189FCB04DFA9D5849DEBBF6FF88711B25806AE905E7321DB31EC41CBA4
                                                                                                Function 054763A0 Relevance: .1, Instructions: 91COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 47f40494ed7f1a5b703e30e385705cbe1007c4f1c6c763b30a8b7f1dee59838f
                                                                                                • Instruction ID: 9a8cd08612d0d46d01bb23d9b693a2d61b07b3d9b175fea59201f244d58496ce
                                                                                                • Opcode Fuzzy Hash: 47f40494ed7f1a5b703e30e385705cbe1007c4f1c6c763b30a8b7f1dee59838f
                                                                                                • Instruction Fuzzy Hash: AE31B774A015189FCB04DFA9D5849DEBBF6FF88710B15806AE905E7361DB31EC41CB94
                                                                                                Function 054728C4 Relevance: .1, Instructions: 90COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6ee2a5df222c2124be6151f21c66a0bd406b67f3148976aa6a8a3dc561a2ce04
                                                                                                • Instruction ID: b771324074e9ac4f3caa37045b8558165cfd9aae802981df71527eae50108e00
                                                                                                • Opcode Fuzzy Hash: 6ee2a5df222c2124be6151f21c66a0bd406b67f3148976aa6a8a3dc561a2ce04
                                                                                                • Instruction Fuzzy Hash: C42178353092184BD715522654587FF2FA7EFC9610F0480ABE80ACB391CE358901C3A1
                                                                                                Function 05472D60 Relevance: .1, Instructions: 86COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7d0140b7c8aebaf745dd5f924da14af2fe063f914380d6c63309c9d2f0598442
                                                                                                • Instruction ID: 66fa3edcb77338a45fc658ea9228f257535eba66c108c3043d2c7be957ed9e49
                                                                                                • Opcode Fuzzy Hash: 7d0140b7c8aebaf745dd5f924da14af2fe063f914380d6c63309c9d2f0598442
                                                                                                • Instruction Fuzzy Hash: 422103797081195BDB08DB259858BFF73A7FFC8614F10456EE41AC7384EB74C9058780
                                                                                                Function 05478A10 Relevance: .1, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6eb651e1d3f182c4abfd9aab9742f2d2199e1cb3a6e7927ac9b9a665fb60503b
                                                                                                • Instruction ID: ed250d670760446093cbb31ddfdc28266ce88ff8f0542f61fb0e9af334ea8841
                                                                                                • Opcode Fuzzy Hash: 6eb651e1d3f182c4abfd9aab9742f2d2199e1cb3a6e7927ac9b9a665fb60503b
                                                                                                • Instruction Fuzzy Hash: A521A235B112099BDB18DBA4E45DBEEBBB7BB88715F10402AE502A3380DF709D05CB90
                                                                                                Function 05478A20 Relevance: .1, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 97cb352ec5eab02497be40d0f70d3733b905a67934cbcf3c474a35535302f0f0
                                                                                                • Instruction ID: 7f65540a4d05712575e0f70c6cc561ce521fa52c3063728c2b120c4715bf7cab
                                                                                                • Opcode Fuzzy Hash: 97cb352ec5eab02497be40d0f70d3733b905a67934cbcf3c474a35535302f0f0
                                                                                                • Instruction Fuzzy Hash: 18218534B113099BDB18DBA4E49DBEEBBB3BB88714F10402AE506A7380DF709D05CB94
                                                                                                Function 05472878 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1f9dfc71e0118d4f60910d14349c642ba1e5f2030c7c7fd05ab2be8808f180f7
                                                                                                • Instruction ID: 480ce990a498bf70dd671fff3fb8d9c92e60fe141931b59a7caad1fa6bbe1885
                                                                                                • Opcode Fuzzy Hash: 1f9dfc71e0118d4f60910d14349c642ba1e5f2030c7c7fd05ab2be8808f180f7
                                                                                                • Instruction Fuzzy Hash: 0111317360D39407D312933D9DF9BDB3FAAEF95611F0C4097D4489B283E954C506D292
                                                                                                Function 05472258 Relevance: .1, Instructions: 62COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 634113f5463aedeb06e38ebeb14b2c30d557ed94baf9c7b5ff6a0a8b1a7289a4
                                                                                                • Instruction ID: e112964619269c01407d74699ed74312279b2f6a3b2e5f9fb8f215fbe9d93b43
                                                                                                • Opcode Fuzzy Hash: 634113f5463aedeb06e38ebeb14b2c30d557ed94baf9c7b5ff6a0a8b1a7289a4
                                                                                                • Instruction Fuzzy Hash: 6A21E775A001189FCB44DF69D8849DEBBF2EF8C710B10816AE905EB361EB71A946CF90
                                                                                                Function 05471378 Relevance: .1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7c06fa2b08204da3030df87523992e124c820299330b793925400133a814c24a
                                                                                                • Instruction ID: df0e2494abc0211c893dc089ab604201e35a8cb2afbd5cee386c72b8dd36d897
                                                                                                • Opcode Fuzzy Hash: 7c06fa2b08204da3030df87523992e124c820299330b793925400133a814c24a
                                                                                                • Instruction Fuzzy Hash: 292115B5C002498FCB10DFAAC5846EEFBF4FF48320F54882AD819A7240D7786545CFA1
                                                                                                Function 05472CD0 Relevance: .1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b2b09153bdfc3a5d3d4def114c8e28da6f0726593fe044490f9115aa70eeeef6
                                                                                                • Instruction ID: 05bc17c85685bea01bf069a05c3084f400a49fcfa922d1d3850f6343e268981c
                                                                                                • Opcode Fuzzy Hash: b2b09153bdfc3a5d3d4def114c8e28da6f0726593fe044490f9115aa70eeeef6
                                                                                                • Instruction Fuzzy Hash: CB01C43AF0411C8BDF148AA9D8002EEB7F6FB8C311F04407AD406B7254DB799A45C7A4
                                                                                                Function 05478038 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 85cab8043d3a08bc7dcf6b908940a2d1749c495fa87cedf8797c778f248a2938
                                                                                                • Instruction ID: d7afc15f96e5e068da231296b40bddab8d2994f5bfab0b386a120845e5d5ae83
                                                                                                • Opcode Fuzzy Hash: 85cab8043d3a08bc7dcf6b908940a2d1749c495fa87cedf8797c778f248a2938
                                                                                                • Instruction Fuzzy Hash: 4C01A77B3001109B9704DA6DF4948AEB7ABFBC9274315817BE609C7350CE33EC0A9754
                                                                                                Function 05471380 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 98f045d97f11a6e98d59b37dc9df5e35bf216896644504480ea712713930b0cc
                                                                                                • Instruction ID: aaf01e76e78c9d5d55d9bfb1ce74521051f6a55ede2941dbfd90ac2743051336
                                                                                                • Opcode Fuzzy Hash: 98f045d97f11a6e98d59b37dc9df5e35bf216896644504480ea712713930b0cc
                                                                                                • Instruction Fuzzy Hash: 8D11F2B5D002498FDB14DFAAC984AEEFBF4FF48310F50842AD819A7240D778A945CFA1
                                                                                                Function 05472CC2 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9aa6c0ab1e972e19051fa5a05c3bb94482c835ff0587deedb1fdec59a862cf35
                                                                                                • Instruction ID: 5d52fe037310def4209c3c69c61053c327d018fddb577c9d3f93469af5b8f16a
                                                                                                • Opcode Fuzzy Hash: 9aa6c0ab1e972e19051fa5a05c3bb94482c835ff0587deedb1fdec59a862cf35
                                                                                                • Instruction Fuzzy Hash: 6D01B13AB042188BDF188A69C9046EEB7F7AB8C310F14807ED406B7354DBBA9E018794
                                                                                                Function 05476A1F Relevance: .0, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e84fe407a7af8b510d98ef561b164ff12a0ce1846514a83fa8fd2dac2cdf5de3
                                                                                                • Instruction ID: 7400e340a320558c628bd2b5cbebbef6777bfcbaf617485db2a2041bfe35a3ea
                                                                                                • Opcode Fuzzy Hash: e84fe407a7af8b510d98ef561b164ff12a0ce1846514a83fa8fd2dac2cdf5de3
                                                                                                • Instruction Fuzzy Hash: 3C01D231B006188BDB18AAAAC4197EFBAE79F89600F20806FD406A7380CE758D058BD1
                                                                                                Function 05476B0C Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d20e42a53503b2cb6571c2c4219004d49640ab8dd66d8b833be6888e8e0165c9
                                                                                                • Instruction ID: ba4bf2710e1730c83ce906d799321fbac43c9f62a4c7d5fbd6acdc7bd0a3495e
                                                                                                • Opcode Fuzzy Hash: d20e42a53503b2cb6571c2c4219004d49640ab8dd66d8b833be6888e8e0165c9
                                                                                                • Instruction Fuzzy Hash: 1CF04472B08A385BDB0516B54C1D3FEA793EB82310F0581ABC508AB6A5DA269443C780
                                                                                                Function 0438D01D Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.11750141002.000000000438D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0438D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_438d000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5e594c2ae9087572777d8caab88dacc8b225c33e18a18114e8bf6c31d4057b2b
                                                                                                • Instruction ID: 87d635bdc36a1e5d85d1b34bfdc52009ecdb289fe98f507ff95a8f96a2f1d284
                                                                                                • Opcode Fuzzy Hash: 5e594c2ae9087572777d8caab88dacc8b225c33e18a18114e8bf6c31d4057b2b
                                                                                                • Instruction Fuzzy Hash: CC01F7B15043409BD7106E19EDC4767FFD8EF81324F18C05EED444B686D279E941C6B2
                                                                                                Function 05476A30 Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a75a36903acd9893a1c369f08d6c366b848e14f6168890a252ae3ee95c4c00c2
                                                                                                • Instruction ID: 5a864b80526b491fa4976db8ff31e34ec0b3dfcb58fb298f4edd9c4bdaf9af2b
                                                                                                • Opcode Fuzzy Hash: a75a36903acd9893a1c369f08d6c366b848e14f6168890a252ae3ee95c4c00c2
                                                                                                • Instruction Fuzzy Hash: 6801A731B0460887DB28AB6AC4187EFBAE7DFC9600F20806ED50AA7390DF754D058BD5
                                                                                                Function 0438D007 Relevance: .0, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000002.11750141002.000000000438D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0438D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_2_438d000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 17dbfcf4ff677e7fc2210fe6aee574d497333f962e76d0aa9cd2adf000d9061c
                                                                                                • Instruction ID: fbc3d2dd398061c7dc05c6a1a21daca9e5aa1785c42f1771944c6b82683b3788
                                                                                                • Opcode Fuzzy Hash: 17dbfcf4ff677e7fc2210fe6aee574d497333f962e76d0aa9cd2adf000d9061c
                                                                                                • Instruction Fuzzy Hash: 7E011E6140D3C09FD7129B259D94B52BFB4EF43224F1981DFD9888F197C2699849C772
                                                                                                Function 0547182A Relevance: .0, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a9f81ccf258f9e054f97dc729681049486e3daed31e77c09835b795026f5b842
                                                                                                • Instruction ID: 3bf18d35ddd5202d77b9ccbc237c07b747ea9e675ce8566b6d76e189aa74b1b1
                                                                                                • Opcode Fuzzy Hash: a9f81ccf258f9e054f97dc729681049486e3daed31e77c09835b795026f5b842
                                                                                                • Instruction Fuzzy Hash: 5101D131B0020897DB28AAA985697EF7AF6AB88700F25406FC406F3380CE754C01CBE1
                                                                                                Function 05479341 Relevance: .0, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ecb48ddd5a25d613c2f58629bd9bb3d14d97d3a907858ad109339b6f9b41f5ce
                                                                                                • Instruction ID: 4241cee772060d1688d8004fe59fd1e4fc78703cdb8166ce41b82824d0dbf2d1
                                                                                                • Opcode Fuzzy Hash: ecb48ddd5a25d613c2f58629bd9bb3d14d97d3a907858ad109339b6f9b41f5ce
                                                                                                • Instruction Fuzzy Hash: 7BF0593230A31417C721911368D4EFF7B5BEFC9A50B08816FE90DC7381DA258805C2F1
                                                                                                Function 05477FC0 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a6f8a404361165f8e58cae81af323156a5a399154ec85c03858178021fe3d6eb
                                                                                                • Instruction ID: 2fa0967b8304a9c08ba6b3fb392eedae98a34852775c7dc0b5b63a56321ea73e
                                                                                                • Opcode Fuzzy Hash: a6f8a404361165f8e58cae81af323156a5a399154ec85c03858178021fe3d6eb
                                                                                                • Instruction Fuzzy Hash: 6CF08271300316579324A65EE9958EBBBDBEFC8660341442AEA1A87300DE71EC095791
                                                                                                Function 05477FBE Relevance: .0, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 61a945c3f539c20902aff0c5ccc8c433c6e25522dccc285b09e1c53623ff0e11
                                                                                                • Instruction ID: 7b9632f136f7deca89710a1271c3560e65d67120b7c27612eddda78266af2775
                                                                                                • Opcode Fuzzy Hash: 61a945c3f539c20902aff0c5ccc8c433c6e25522dccc285b09e1c53623ff0e11
                                                                                                • Instruction Fuzzy Hash: 7DF02772300312479320A65DE9958EBA7DBEFC8230300442BEE1AC7300DF70EC095790
                                                                                                Function 05475278 Relevance: .0, Instructions: 29COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 15f53d0fc0fadc92833f34dc4821c74781db09eb672010a803630f3afc82fe9e
                                                                                                • Instruction ID: 5bd21e939dc0a630449524938bdeae784db5555dc1e43ec3eed0d0e9c8b843fb
                                                                                                • Opcode Fuzzy Hash: 15f53d0fc0fadc92833f34dc4821c74781db09eb672010a803630f3afc82fe9e
                                                                                                • Instruction Fuzzy Hash: 5AF055767046410BE306D628DC40BA6F78BEFC522CF5840BAC549E3287EB3998098390
                                                                                                Function 05472EFA Relevance: .0, Instructions: 27COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7a015d6094ebf79f622e94e199b61924883ce65afaf2882b20cf006b8d4d6a13
                                                                                                • Instruction ID: b50c86bba4030a79e8f756b3f6c1ae51ddf937628135f4c76275ce728ae382de
                                                                                                • Opcode Fuzzy Hash: 7a015d6094ebf79f622e94e199b61924883ce65afaf2882b20cf006b8d4d6a13
                                                                                                • Instruction Fuzzy Hash: 64E0DF28B18E5C06FFB851B18A953F7289A5B41604F0801FFD896C6B9BEBD5C84633D3
                                                                                                Function 05477F3F Relevance: .0, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b62bff1b76c328a7655d7ac912bb0184580496848f2064bf1e970584ee312a18
                                                                                                • Instruction ID: d92c944cb67472d28317fc79ca62995887cb60a008d08ab077cec8399fa15882
                                                                                                • Opcode Fuzzy Hash: b62bff1b76c328a7655d7ac912bb0184580496848f2064bf1e970584ee312a18
                                                                                                • Instruction Fuzzy Hash: 4EE06D7154A3C8AFC701DBB4ED228EE7FF9DA86214B1004DED808D7652D5325A48EBA2
                                                                                                Function 05475288 Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 706f024d5f4d287748f7ad41bf5951a5d5b548cfc759854926a34fdffc5ced34
                                                                                                • Instruction ID: dfb9656f69f2cfc1a3c1f60fdc57137dabf01c9707d2d4c5cf069d1f955e04c0
                                                                                                • Opcode Fuzzy Hash: 706f024d5f4d287748f7ad41bf5951a5d5b548cfc759854926a34fdffc5ced34
                                                                                                • Instruction Fuzzy Hash: 17E086367002015BE314A55AE840957F39FEFC9638B64447DD60DD7356DE72EC0AC690
                                                                                                Function 054717F0 Relevance: .0, Instructions: 18COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6ebc8690fabf5925f8530896881d1dcc4283f05cfb7bb12cb0dd4115deceeeb2
                                                                                                • Instruction ID: 48f21318bed00a4c97b39df2f08e0a96c04234a8d7576e22ca58d99537ddea58
                                                                                                • Opcode Fuzzy Hash: 6ebc8690fabf5925f8530896881d1dcc4283f05cfb7bb12cb0dd4115deceeeb2
                                                                                                • Instruction Fuzzy Hash: CBD0A77B3400144FD3045B50E6993EA3F56DB44222F084027EA8A87364DE259863EBD0
                                                                                                Function 05472958 Relevance: .0, Instructions: 18COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 99fb7d56f215dbaaddc7a99eecb3ea7916e6b0220c56f0a129b47cbd61550d20
                                                                                                • Instruction ID: d05e539d5b966c3e321b3dd41796f9f69fad2e6e1a7aba3cb1677202c2cba3c9
                                                                                                • Opcode Fuzzy Hash: 99fb7d56f215dbaaddc7a99eecb3ea7916e6b0220c56f0a129b47cbd61550d20
                                                                                                • Instruction Fuzzy Hash: 78E04FB2E05288DFC780DBA4DA555AC7BB1AB8520571045EEC80DE7211EA715E06D741
                                                                                                Function 054776C0 Relevance: .0, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5d90c0bb756fb8ab9ac0b2bf4d03efa16e488e185d010b27ce0cdfaf91f2d743
                                                                                                • Instruction ID: ffaaeb40b2df852c126fdbbf2ce634039310d29ea4e112c2a50abfc3a12ca900
                                                                                                • Opcode Fuzzy Hash: 5d90c0bb756fb8ab9ac0b2bf4d03efa16e488e185d010b27ce0cdfaf91f2d743
                                                                                                • Instruction Fuzzy Hash: 36D05E217092A02F8305D71998114E2BBA59B9A225719C0EBE848CB252C562CD0283E6
                                                                                                Function 05470C0C Relevance: .0, Instructions: 17COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 144b1a596a485b419a3bc6a8be5b90c6db389d4534786f6655197c61f603f287
                                                                                                • Instruction ID: 3db6c8a8efb5ebbe76e7ad62be1f7727b2ce407197aa33db5dd41fdf0ffa3b43
                                                                                                • Opcode Fuzzy Hash: 144b1a596a485b419a3bc6a8be5b90c6db389d4534786f6655197c61f603f287
                                                                                                • Instruction Fuzzy Hash: 4CD0A73135011C5F43047659D94C8EA7BEADB443913501427FA0693210DE61AD52DBE5
                                                                                                Function 05477F50 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2c34c1e0406809cb531b263073579808d530d58dba1460f44201f492f362cdb3
                                                                                                • Instruction ID: 30e4db0b1663664abe2eb0090dc2d34b0cf2aa146d49f82120113b85f0214b13
                                                                                                • Opcode Fuzzy Hash: 2c34c1e0406809cb531b263073579808d530d58dba1460f44201f492f362cdb3
                                                                                                • Instruction Fuzzy Hash: D3D0127090024CEBCB00DFA8DA1159DB7F5EB48204B104499D809D3350DA326E08AB40
                                                                                                Function 05472968 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1539bebf7404bc12f320e5d7fb984b7068471d8a41ff012b8c948594736b9efb
                                                                                                • Instruction ID: 866cb92510f82d06784b2f8d40b9d8464cce211a8cb2b09df057cae024e6b3cb
                                                                                                • Opcode Fuzzy Hash: 1539bebf7404bc12f320e5d7fb984b7068471d8a41ff012b8c948594736b9efb
                                                                                                • Instruction Fuzzy Hash: 7DD05B7190020CEFC740DFA8D9459ADB7F5EB442057504099D80DD7300DA716F05D740
                                                                                                Function 05470440 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000006.00000003.11748833720.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_6_3_5470000_rundll32.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c04a7915351c10727c2ea8864c7776d4c7e42678707cd8526b7c87e8f724ade7
                                                                                                • Instruction ID: a8be34c1becfbf5db9b939d31a8c35f2a6f2b5a079b665f1ab3a04cacf7b3498
                                                                                                • Opcode Fuzzy Hash: c04a7915351c10727c2ea8864c7776d4c7e42678707cd8526b7c87e8f724ade7
                                                                                                • Instruction Fuzzy Hash: 3AC08C3100C3804FC7068BA4C8529C27FB0AE2231139682ABE0C2C1132C6294802DB22

                                                                                                Execution Graph

                                                                                                Execution Coverage:10.8%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:4.4%
                                                                                                Total number of Nodes:271
                                                                                                Total number of Limit Nodes:20
                                                                                                execution_graph 38421 b81238 38422 b81249 38421->38422 38426 b80e7f 38422->38426 38432 b80e24 38422->38432 38423 b81282 38427 b80e9e 38426->38427 38428 b80e4a 38426->38428 38428->38427 38437 b836b0 38428->38437 38444 b836a3 38428->38444 38429 b8133b 38429->38423 38433 b80e2d 38432->38433 38435 b836b0 5 API calls 38433->38435 38436 b836a3 5 API calls 38433->38436 38434 b8133b 38434->38423 38435->38434 38436->38434 38438 b836c6 38437->38438 38451 b84c60 38438->38451 38439 b83764 38439->38429 38440 b836cc 38440->38439 38457 b8e5b8 38440->38457 38441 b83739 38441->38429 38445 b83662 38444->38445 38445->38444 38449 b84c60 RtlGetVersion 38445->38449 38446 b83764 38446->38429 38447 b836cc 38447->38446 38450 b8e5b8 4 API calls 38447->38450 38448 b83739 38448->38429 38449->38447 38450->38448 38452 b84beb 38451->38452 38454 b84c66 38451->38454 38453 b84cc6 38453->38440 38454->38453 38455 b84d1d RtlGetVersion 38454->38455 38456 b84dda 38455->38456 38456->38440 38458 b8e5f4 38457->38458 38460 b8e60e 38457->38460 38458->38460 38465 b8ea79 38458->38465 38469 b8ea88 38458->38469 38459 b8e654 38473 39c0ae1 38459->38473 38476 39c0af0 38459->38476 38460->38441 38466 b8eaae 38465->38466 38467 b8eae6 38466->38467 38479 b8eb30 38466->38479 38467->38459 38471 b8eaae 38469->38471 38470 b8eae6 38470->38459 38471->38470 38472 b8eb30 3 API calls 38471->38472 38472->38470 38474 39c0b15 38473->38474 38612 39c0b22 38473->38612 38474->38460 38478 39c0b22 CryptProtectData 38476->38478 38477 39c0b15 38477->38460 38478->38477 38480 b8eb6e 38479->38480 38486 b8f768 38480->38486 38491 b8f759 38480->38491 38481 b8ee0f 38482 b8ed97 38482->38481 38496 39c0959 38482->38496 38487 b8f78c 38486->38487 38488 b8f793 38486->38488 38487->38488 38500 b8f910 38487->38500 38514 b8f902 38487->38514 38488->38482 38492 b8f78c 38491->38492 38493 b8f793 38491->38493 38492->38493 38494 b8f910 3 API calls 38492->38494 38495 b8f902 3 API calls 38492->38495 38493->38482 38494->38493 38495->38493 38497 39c0964 38496->38497 38498 39c0448 3 API calls 38497->38498 38499 39c0985 38498->38499 38499->38482 38501 b8f943 38500->38501 38502 b8f933 38500->38502 38501->38502 38507 b8f910 3 API calls 38501->38507 38512 b8f902 3 API calls 38501->38512 38528 b8fa8a 38501->38528 38539 b8a4c8 38501->38539 38544 39c47e0 38501->38544 38553 39c47f0 38501->38553 38562 b8a4b7 38501->38562 38567 b8fa98 38501->38567 38503 b8f93c 38502->38503 38504 39c47f0 3 API calls 38502->38504 38505 39c47e0 3 API calls 38502->38505 38503->38488 38504->38502 38505->38502 38507->38502 38512->38502 38515 b8f943 38514->38515 38516 b8f933 38514->38516 38515->38516 38520 b8fa98 3 API calls 38515->38520 38521 b8f910 3 API calls 38515->38521 38522 39c47f0 3 API calls 38515->38522 38523 b8a4b7 3 API calls 38515->38523 38524 b8a4c8 3 API calls 38515->38524 38525 b8fa8a 3 API calls 38515->38525 38526 b8f902 3 API calls 38515->38526 38527 39c47e0 3 API calls 38515->38527 38517 b8f93c 38516->38517 38518 39c47f0 3 API calls 38516->38518 38519 39c47e0 3 API calls 38516->38519 38517->38488 38518->38516 38519->38516 38520->38516 38521->38516 38522->38516 38523->38516 38524->38516 38525->38516 38526->38516 38527->38516 38529 b8fa97 38528->38529 38531 b8fa2b 38528->38531 38530 b8fabb 38529->38530 38532 b8fa98 3 API calls 38529->38532 38533 b8fa8a 3 API calls 38529->38533 38534 b8f910 3 API calls 38529->38534 38535 b8f902 3 API calls 38529->38535 38536 b8fac4 38530->38536 38577 b8fef2 38530->38577 38583 b8ff20 38530->38583 38531->38502 38532->38530 38533->38530 38534->38530 38535->38530 38536->38502 38540 b8a4f9 38539->38540 38541 b8a4ed 38539->38541 38540->38541 38542 39c47f0 3 API calls 38540->38542 38543 39c47e0 3 API calls 38540->38543 38541->38502 38542->38541 38543->38541 38545 39c4824 38544->38545 38546 39c4814 38544->38546 38551 b8f910 3 API calls 38545->38551 38552 b8f902 3 API calls 38545->38552 38547 39c481d 38546->38547 38598 39c66d0 38546->38598 38603 39c6630 38546->38603 38607 39c6710 38546->38607 38547->38502 38551->38546 38552->38546 38554 39c4814 38553->38554 38556 39c4824 38553->38556 38555 39c481d 38554->38555 38557 39c6710 3 API calls 38554->38557 38558 39c66d0 3 API calls 38554->38558 38559 39c6630 3 API calls 38554->38559 38555->38502 38560 b8f910 3 API calls 38556->38560 38561 b8f902 3 API calls 38556->38561 38557->38555 38558->38555 38559->38555 38560->38554 38561->38554 38563 b8a4ed 38562->38563 38564 b8a4f9 38562->38564 38563->38502 38564->38563 38565 39c47f0 3 API calls 38564->38565 38566 39c47e0 3 API calls 38564->38566 38565->38563 38566->38563 38568 b8facb 38567->38568 38569 b8fabb 38567->38569 38568->38569 38570 b8fa98 3 API calls 38568->38570 38571 b8fa8a 3 API calls 38568->38571 38572 b8f910 3 API calls 38568->38572 38573 b8f902 3 API calls 38568->38573 38574 b8fac4 38569->38574 38575 b8ff20 3 API calls 38569->38575 38576 b8fef2 3 API calls 38569->38576 38570->38569 38571->38569 38572->38569 38573->38569 38574->38502 38575->38574 38576->38574 38578 b8fe90 38577->38578 38579 b8fefb 38577->38579 38578->38536 38579->38578 38588 39c0438 38579->38588 38594 39c0448 38579->38594 38580 b8ffb1 38580->38536 38584 b8ff3f 38583->38584 38586 39c0438 3 API calls 38584->38586 38587 39c0448 3 API calls 38584->38587 38585 b8ffb1 38585->38536 38586->38585 38587->38585 38589 39c03d8 38588->38589 38590 39c0443 38588->38590 38591 39c046e 38590->38591 38592 4c22d98 CreateNamedPipeW CreateNamedPipeW CreateNamedPipeW 38590->38592 38593 4c22da8 CreateNamedPipeW CreateNamedPipeW CreateNamedPipeW 38590->38593 38591->38580 38592->38591 38593->38591 38595 39c046e 38594->38595 38596 4c22d98 CreateNamedPipeW CreateNamedPipeW CreateNamedPipeW 38594->38596 38597 4c22da8 CreateNamedPipeW CreateNamedPipeW CreateNamedPipeW 38594->38597 38595->38580 38596->38595 38597->38595 38599 39c667d 38598->38599 38600 39c0448 3 API calls 38599->38600 38602 39c66df 38599->38602 38601 39c668b 38600->38601 38601->38547 38602->38547 38604 39c6670 38603->38604 38605 39c668b 38604->38605 38606 39c0448 3 API calls 38604->38606 38605->38547 38606->38605 38608 39c667d 38607->38608 38611 39c66df 38607->38611 38609 39c0448 3 API calls 38608->38609 38608->38611 38610 39c668b 38609->38610 38610->38547 38611->38547 38614 39c0b2e 38612->38614 38613 39c0b4d 38613->38474 38614->38613 38618 39c1138 38614->38618 38626 39c1127 38614->38626 38615 39c0bd5 38615->38474 38619 39c115d 38618->38619 38622 39c1224 38618->38622 38619->38622 38624 39c1138 CryptProtectData 38619->38624 38625 39c1127 CryptProtectData 38619->38625 38634 39c138e 38619->38634 38638 39c0e48 38622->38638 38624->38622 38625->38622 38627 39c115d 38626->38627 38630 39c1224 38626->38630 38627->38630 38631 39c138e CryptProtectData 38627->38631 38632 39c1138 CryptProtectData 38627->38632 38633 39c1127 CryptProtectData 38627->38633 38628 39c0e48 CryptProtectData 38629 39c144d 38628->38629 38629->38615 38630->38628 38631->38630 38632->38630 38633->38630 38635 39c13a3 38634->38635 38636 39c0e48 CryptProtectData 38635->38636 38637 39c144d 38636->38637 38637->38622 38639 39c1638 CryptProtectData 38638->38639 38641 39c144d 38639->38641 38641->38615 38646 4c24b60 38647 4c24bb4 ConnectNamedPipe 38646->38647 38648 4c24bf0 38647->38648 38648->38648 38672 4c201f0 38673 4c20243 CreateProcessAsUserW 38672->38673 38675 4c202d4 38673->38675 38694 4c21130 38695 4c21142 38694->38695 38696 4c21186 38695->38696 38698 4c21d19 38695->38698 38699 4c21cae 38698->38699 38699->38698 38700 4c22198 38699->38700 38704 b87458 38699->38704 38709 b87480 38699->38709 38714 b87490 38699->38714 38705 b87459 38704->38705 38706 b874d5 38705->38706 38707 b8f910 3 API calls 38705->38707 38708 b8f902 3 API calls 38705->38708 38706->38699 38707->38706 38708->38706 38710 b87459 38709->38710 38710->38709 38711 b874d5 38710->38711 38712 b8f910 3 API calls 38710->38712 38713 b8f902 3 API calls 38710->38713 38711->38699 38712->38711 38713->38711 38715 b874ba 38714->38715 38716 b874d5 38715->38716 38717 b8f910 3 API calls 38715->38717 38718 b8f902 3 API calls 38715->38718 38716->38699 38717->38716 38718->38716 38719 39c5e68 38720 39c5e8c 38719->38720 38721 39c5e9c 38719->38721 38722 39c5e95 38720->38722 38723 39c6498 3 API calls 38720->38723 38724 39c6403 3 API calls 38720->38724 38727 39c6498 38721->38727 38735 39c6403 38721->38735 38723->38720 38724->38720 38728 39c64cb 38727->38728 38730 39c64bb 38727->38730 38733 b8f910 3 API calls 38728->38733 38734 b8f902 3 API calls 38728->38734 38729 39c64c4 38729->38720 38730->38729 38731 b8f910 3 API calls 38730->38731 38732 b8f902 3 API calls 38730->38732 38731->38730 38732->38730 38733->38730 38734->38730 38736 39c6421 38735->38736 38738 39c64bb 38736->38738 38739 b8f910 3 API calls 38736->38739 38740 b8f902 3 API calls 38736->38740 38737 39c64c4 38737->38720 38738->38737 38741 b8f910 3 API calls 38738->38741 38742 b8f902 3 API calls 38738->38742 38739->38738 38740->38738 38741->38738 38742->38738 38649 51504b0 38650 51504ce 38649->38650 38652 51504e7 38650->38652 38655 5150600 38650->38655 38654 5150600 CreateFileA 38654->38652 38656 515061d 38655->38656 38660 5150790 38656->38660 38664 51507a0 38656->38664 38661 51507a0 38660->38661 38668 51500b0 38661->38668 38665 51507b3 38664->38665 38666 51500b0 CreateFileA 38665->38666 38667 5150510 38666->38667 38667->38654 38669 51507f0 CreateFileA 38668->38669 38671 5150925 38669->38671 38676 5152ba0 38677 5152be1 38676->38677 38678 5152c59 RegDisablePredefinedCache 38677->38678 38679 5152c3c 38677->38679 38678->38679 38680 39c66a9 38681 39c66cb 38680->38681 38682 39c6710 3 API calls 38680->38682 38683 39c66d0 3 API calls 38680->38683 38682->38681 38683->38681 38690 5150678 38691 51506c0 WaitNamedPipeW 38690->38691 38692 51506ba 38690->38692 38693 51506f4 38691->38693 38692->38691 38642 39c0482 38643 39c0495 38642->38643 38644 39c04b2 38643->38644 38645 39c6710 3 API calls 38643->38645 38645->38644 38684 4c2167c 38685 4c21210 38684->38685 38686 4c2129d 38685->38686 38687 39c6710 3 API calls 38685->38687 38688 39c66d0 3 API calls 38685->38688 38689 39c6630 3 API calls 38685->38689 38687->38686 38688->38686 38689->38686

                                                                                                Executed Functions

                                                                                                Function 00B84C60 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 697 b84c60-b84c64 698 b84beb-b84c48 697->698 699 b84c66-b84cb3 697->699 705 b84d02-b84d08 699->705 706 b84cb5-b84cc4 call b84848 699->706 709 b84d09-b84dd8 RtlGetVersion 706->709 710 b84cc6-b84ccb 706->710 715 b84dda-b84de0 709->715 716 b84de1-b84e24 709->716 722 b84cce call b852f8 710->722 723 b84cce call b852e8 710->723 711 b84cd4 711->705 715->716 720 b84e2b-b84e32 716->720 721 b84e26 716->721 721->720 722->711 723->711
                                                                                                APIs
                                                                                                • RtlGetVersion.NTDLL(0000009C), ref: 00B84DBE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12973207968.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_b80000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: Version
                                                                                                • String ID:
                                                                                                • API String ID: 1889659487-0
                                                                                                • Opcode ID: 38e9baad841a8f9cd9bdf63bf2ef4c8812c67336fa0e04a674c26997d6b72dc9
                                                                                                • Instruction ID: 0beb964d9a69b718e7a2cbdd2a4a3ff4b20285010b2b19a56db7d8ed77b03f08
                                                                                                • Opcode Fuzzy Hash: 38e9baad841a8f9cd9bdf63bf2ef4c8812c67336fa0e04a674c26997d6b72dc9
                                                                                                • Instruction Fuzzy Hash: 5541EE75A042698FDF20DBA8C804BAEBBF5FB45300F1445EAD149E7281DB358E59CF92
                                                                                                Function 04C201F0 Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 736 4c201f0-4c20241 737 4c20243-4c20249 736->737 738 4c2024c-4c20250 736->738 737->738 739 4c20252-4c20255 738->739 740 4c20258-4c2026d 738->740 739->740 741 4c2027b-4c202d2 CreateProcessAsUserW 740->741 742 4c2026f-4c20278 740->742 744 4c202d4-4c202da 741->744 745 4c202db-4c20303 741->745 742->741 744->745
                                                                                                APIs
                                                                                                • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 04C202BF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12996478762.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_4c20000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcessUser
                                                                                                • String ID:
                                                                                                • API String ID: 2217836671-0
                                                                                                • Opcode ID: 89319062e005f0ac6c33d80cffe6a06c0b2ee1fe2b0d1f4c99bfe779ae8d02c5
                                                                                                • Instruction ID: 75b596fc0c0069b5947f8da9db5628f62634e4f13f119c537046e7b7f65a1980
                                                                                                • Opcode Fuzzy Hash: 89319062e005f0ac6c33d80cffe6a06c0b2ee1fe2b0d1f4c99bfe779ae8d02c5
                                                                                                • Instruction Fuzzy Hash: 1C415875900249DFCF01CF9AC984ADEBBF2FF48310F14842AE918A7250D374AA55CF50
                                                                                                Function 04C22700 Relevance: 1.6, APIs: 1, Instructions: 72pipeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateNamedPipeW.KERNEL32(00000000,00000001,00000008,?,?,?,00000001,00000004), ref: 04C234F4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12996478762.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_4c20000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateNamedPipe
                                                                                                • String ID:
                                                                                                • API String ID: 2489174969-0
                                                                                                • Opcode ID: c47b986fa9824a2afd7a4254dc470b5c53a9f29c1953916b0953666f865c9d67
                                                                                                • Instruction ID: 4c3b714ed94dd73f2e90193d8c8d5445502d908aff6db4ab5f290ca1931a6118
                                                                                                • Opcode Fuzzy Hash: c47b986fa9824a2afd7a4254dc470b5c53a9f29c1953916b0953666f865c9d67
                                                                                                • Instruction Fuzzy Hash: 913149B5800288DFCB11CFAAD588A8EBFF5FF48310F14C459E918AB221D375A955CF61
                                                                                                Function 039C1631 Relevance: 1.6, APIs: 1, Instructions: 65encryptionCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 039C16AE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12991550521.00000000039C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 039C0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_39c0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CryptDataProtect
                                                                                                • String ID:
                                                                                                • API String ID: 3091777813-0
                                                                                                • Opcode ID: 6a04a594722923faefff37924425669a21e2fc1e44e2d4d21acf64fc9edd2ca3
                                                                                                • Instruction ID: ca7d0ac38d7b74a0544c6df4e91139d78bafd49565c4f7a3db5876b93704b9b2
                                                                                                • Opcode Fuzzy Hash: 6a04a594722923faefff37924425669a21e2fc1e44e2d4d21acf64fc9edd2ca3
                                                                                                • Instruction Fuzzy Hash: 052178B680024A8FCF11CF9AC944ADEBBF1FF88310F14881AE914A7241D335A555CFA5
                                                                                                Function 039C0E48 Relevance: 1.6, APIs: 1, Instructions: 64encryptionCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 039C16AE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12991550521.00000000039C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 039C0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_39c0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CryptDataProtect
                                                                                                • String ID:
                                                                                                • API String ID: 3091777813-0
                                                                                                • Opcode ID: dcc52b1c16a8b41e5c64d9f51e1c6f0b68449cadc2fd7587450dfbd01efe9232
                                                                                                • Instruction ID: 6cfc38197f2cb0f532f18c8e464afebe6a93ab7f3ad50b545b989cdd6b4c0128
                                                                                                • Opcode Fuzzy Hash: dcc52b1c16a8b41e5c64d9f51e1c6f0b68449cadc2fd7587450dfbd01efe9232
                                                                                                • Instruction Fuzzy Hash: 022157B68002499FCF10DF9AC944ADEBBF5FF48310F14881EE914A7241D339A551CFA5
                                                                                                Function 04C23330 Relevance: 1.7, APIs: 1, Instructions: 173pipeCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 556 4c23330-4c233b6 565 4c233c1-4c233cd 556->565 566 4c233b8-4c233ba 556->566 568 4c233d8-4c233da 565->568 569 4c233cf-4c233d6 565->569 566->565 571 4c233e8-4c23410 568->571 569->568 570 4c233dc-4c233e3 569->570 572 4c23442-4c2349a 570->572 573 4c233e5 570->573 576 4c23412-4c23417 571->576 577 4c23419 571->577 578 4c234a2-4c23507 CreateNamedPipeW 572->578 579 4c2349c-4c2349f 572->579 573->571 580 4c2341e-4c23433 call 4c22700 576->580 577->580 584 4c23510-4c23531 578->584 585 4c23509-4c2350f 578->585 579->578 583 4c23438-4c2343f 580->583 585->584
                                                                                                APIs
                                                                                                • CreateNamedPipeW.KERNEL32(00000000,00000001,00000008,?,?,?,00000001,00000004), ref: 04C234F4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12996478762.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_4c20000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateNamedPipe
                                                                                                • String ID:
                                                                                                • API String ID: 2489174969-0
                                                                                                • Opcode ID: ea463c9baae1b3d822e91563b9de9d5671e06a447223781e97494ce57745e560
                                                                                                • Instruction ID: 7a3adcf5b63851457f82e4319fb8a37157ef1875115c194fb54cddaca6aa92fd
                                                                                                • Opcode Fuzzy Hash: ea463c9baae1b3d822e91563b9de9d5671e06a447223781e97494ce57745e560
                                                                                                • Instruction Fuzzy Hash: A061E470A003589FCB11CFA9C944BAEBFF6FF88300F14846AD909AB291D775A905CB61
                                                                                                Function 04C20330 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 588 4c20330-4c2035f 590 4c20603-4c2062f 588->590 591 4c20365-4c20391 588->591 602 4c20631-4c20643 590->602 603 4c206ab-4c206b2 590->603 600 4c20527-4c20539 591->600 601 4c20397-4c203cd 591->601 600->603 607 4c2053f-4c20576 600->607 614 4c203d3-4c204e8 601->614 615 4c204ea-4c2050e 601->615 602->603 608 4c20645-4c206a8 602->608 621 4c20578-4c2057a 607->621 622 4c2057c 607->622 608->603 632 4c20515-4c20519 614->632 615->632 623 4c2057f-4c20600 621->623 622->623 623->590 635 4c20524 632->635 636 4c2051b 632->636 635->600 636->635
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12996478762.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_4c20000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 509569722b734cfb675186d577e266e61b3df05873bd89bd7571cdc35359ad73
                                                                                                • Instruction ID: 0df9ed76b7ea816f8813c8e19f136feb05aa1d5679577d70fee17e34a0ff6e76
                                                                                                • Opcode Fuzzy Hash: 509569722b734cfb675186d577e266e61b3df05873bd89bd7571cdc35359ad73
                                                                                                • Instruction Fuzzy Hash: C951E374B402119FDB14DB35D854B7EBBB3AB89320F248669D901AB3D2DFB1AC45CB80
                                                                                                Function 051507E4 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 652 51507e4-51507ed 653 5150803-515084c 652->653 654 51507ef-5150801 652->654 655 51508a0-5150923 CreateFileA 653->655 656 515084e-5150873 653->656 654->653 665 5150925-515092b 655->665 666 515092c-515096a 655->666 656->655 659 5150875-5150877 656->659 660 5150879-5150883 659->660 661 515089a-515089d 659->661 663 5150885 660->663 664 5150887-5150896 660->664 661->655 663->664 664->664 667 5150898 664->667 665->666 671 515096c-5150970 666->671 672 515097a 666->672 667->661 671->672 673 5150972 671->673 674 515097b 672->674 673->672 674->674
                                                                                                APIs
                                                                                                • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0515090D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12998464216.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_5150000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile
                                                                                                • String ID:
                                                                                                • API String ID: 823142352-0
                                                                                                • Opcode ID: 506d7dda186cd3537fb81c504b68ae2d5d410af7fef26d298d61a131a84953d9
                                                                                                • Instruction ID: aebbd522cc4454dd6bbedeb5a2e9c9893c59a510584a57d3b286d85b5a5d64c1
                                                                                                • Opcode Fuzzy Hash: 506d7dda186cd3537fb81c504b68ae2d5d410af7fef26d298d61a131a84953d9
                                                                                                • Instruction Fuzzy Hash: 695155B1D00259CFDB10CFA9C948B9DBBF2FF48314F248529E818AB295D7B59944CF91
                                                                                                Function 051500B0 Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 675 51500b0-515084c 677 51508a0-5150923 CreateFileA 675->677 678 515084e-5150873 675->678 687 5150925-515092b 677->687 688 515092c-515096a 677->688 678->677 681 5150875-5150877 678->681 682 5150879-5150883 681->682 683 515089a-515089d 681->683 685 5150885 682->685 686 5150887-5150896 682->686 683->677 685->686 686->686 689 5150898 686->689 687->688 693 515096c-5150970 688->693 694 515097a 688->694 689->683 693->694 695 5150972 693->695 696 515097b 694->696 695->694 696->696
                                                                                                APIs
                                                                                                • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0515090D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12998464216.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_5150000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFile
                                                                                                • String ID:
                                                                                                • API String ID: 823142352-0
                                                                                                • Opcode ID: 227f865dba2efe62bf82bf550ed9b7c7cf3eabf76e42091587e0e6455648209f
                                                                                                • Instruction ID: 3bef5b785f785db65b8180a3ec2c8547114a85e3e4b9b4b49cdaaf50b969715d
                                                                                                • Opcode Fuzzy Hash: 227f865dba2efe62bf82bf550ed9b7c7cf3eabf76e42091587e0e6455648209f
                                                                                                • Instruction Fuzzy Hash: 265154B1D00249CFDB10DFA9C948B9EBBF2FF48310F248529E818AB255D7B99844CF91
                                                                                                Function 04C201E9 Relevance: 1.6, APIs: 1, Instructions: 95processCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 724 4c201e9-4c20241 725 4c20243-4c20249 724->725 726 4c2024c-4c20250 724->726 725->726 727 4c20252-4c20255 726->727 728 4c20258-4c2026d 726->728 727->728 729 4c2027b-4c202b1 728->729 730 4c2026f-4c20278 728->730 731 4c202b4-4c202d2 CreateProcessAsUserW 729->731 730->729 732 4c202d4-4c202da 731->732 733 4c202db-4c20303 731->733 732->733
                                                                                                APIs
                                                                                                • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 04C202BF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12996478762.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_4c20000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateProcessUser
                                                                                                • String ID:
                                                                                                • API String ID: 2217836671-0
                                                                                                • Opcode ID: 0ce4fd1b56992d6c9899d5738715752c8a14ebd8df5a1e7e8cd72b93f9f5fa85
                                                                                                • Instruction ID: 1a2656f79b00106deb40a69ed03c550949214bf105ead2fa4b7ab863ebab3572
                                                                                                • Opcode Fuzzy Hash: 0ce4fd1b56992d6c9899d5738715752c8a14ebd8df5a1e7e8cd72b93f9f5fa85
                                                                                                • Instruction Fuzzy Hash: 89415875900249DFCF11CF99C984AEEBBF2FF48310F15842AE918A7250D774AA55CF50
                                                                                                Function 05152BA0 Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 748 5152ba0-5152c2b 755 5152c2d-5152c3a 748->755 756 5152c3c-5152c54 748->756 755->756 759 5152c59-5152c88 RegDisablePredefinedCache 755->759 757 5152d16-5152d40 756->757 766 5152d42 757->766 767 5152ccd 757->767 761 5152c91-5152cac call 5152a68 759->761 762 5152c8a-5152c90 759->762 773 5152cb1-5152cc9 761->773 762->761 768 5152d14 766->768 769 5152d44-5152d56 766->769 770 5152ccf 767->770 771 5152cd8 767->771 768->757 770->771 771->768 773->767
                                                                                                APIs
                                                                                                • RegDisablePredefinedCache.ADVAPI32 ref: 05152C71
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12998464216.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_5150000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CacheDisablePredefined
                                                                                                • String ID:
                                                                                                • API String ID: 1885667121-0
                                                                                                • Opcode ID: 0c5b396ffe89e1c069e82bcf1680e983e90152273923410352e83f7e70874a77
                                                                                                • Instruction ID: d5569ea45723b897bf3a543ad2953effbffa472ab6a4ddd8f3cd6e182c4e79f1
                                                                                                • Opcode Fuzzy Hash: 0c5b396ffe89e1c069e82bcf1680e983e90152273923410352e83f7e70874a77
                                                                                                • Instruction Fuzzy Hash: 44319775D00208DBDB14DF99DA48B9DBBF2BF88310F24881AE826BB381DB746845CF50
                                                                                                Function 04C24B55 Relevance: 1.6, APIs: 1, Instructions: 70pipeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ConnectNamedPipe.KERNEL32(00000000), ref: 04C24BD8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12996478762.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_4c20000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConnectNamedPipe
                                                                                                • String ID:
                                                                                                • API String ID: 2191148154-0
                                                                                                • Opcode ID: 90fddb48cb0f6a69654b456b50fb0cba6b87294629b2edf2451644f9b0d9881c
                                                                                                • Instruction ID: 3557a96c83f3a08d42374e14fe5cae8b425ae7efeaf017d3fd97094f439ddf7e
                                                                                                • Opcode Fuzzy Hash: 90fddb48cb0f6a69654b456b50fb0cba6b87294629b2edf2451644f9b0d9881c
                                                                                                • Instruction Fuzzy Hash: 792139B0D002589FDB14CFA9C984BDEBBF5BF48700F14845AE849AB340D7B4A945CFA5
                                                                                                Function 04C24B60 Relevance: 1.6, APIs: 1, Instructions: 65pipeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ConnectNamedPipe.KERNEL32(00000000), ref: 04C24BD8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12996478762.0000000004C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_4c20000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConnectNamedPipe
                                                                                                • String ID:
                                                                                                • API String ID: 2191148154-0
                                                                                                • Opcode ID: d2e8f55964ea28801abe19a29e2b8ddb2d2521b0613e24a3f8ce66b49838030e
                                                                                                • Instruction ID: 795c330831ec9141144f6e878c7ff05787ee9e26d19bbaabaa23fb7071e40ed6
                                                                                                • Opcode Fuzzy Hash: d2e8f55964ea28801abe19a29e2b8ddb2d2521b0613e24a3f8ce66b49838030e
                                                                                                • Instruction Fuzzy Hash: 202126B0D00258DFCB14CF9AC684BDEBBF5AF48700F14845AE808AB340D7B4A945CFA4
                                                                                                Function 05150670 Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitNamedPipeW.KERNEL32(00000000), ref: 051506DF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12998464216.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_5150000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: NamedPipeWait
                                                                                                • String ID:
                                                                                                • API String ID: 3146367894-0
                                                                                                • Opcode ID: ae3ceb2f652ffa4a5605faa32963b0da22d29d15a4379dac5a4518d53f3f662d
                                                                                                • Instruction ID: 77f36a40996954789a981a054a489f8f7893298ef0ad68b16dc28cefd6bde8b6
                                                                                                • Opcode Fuzzy Hash: ae3ceb2f652ffa4a5605faa32963b0da22d29d15a4379dac5a4518d53f3f662d
                                                                                                • Instruction Fuzzy Hash: DF21E8B6C002498FCB10CF9AC544BDEBBF4FB48324F14885DD869A7641D779A545CFA1
                                                                                                Function 05150678 Relevance: 1.6, APIs: 1, Instructions: 56pipeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitNamedPipeW.KERNEL32(00000000), ref: 051506DF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12998464216.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_5150000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: NamedPipeWait
                                                                                                • String ID:
                                                                                                • API String ID: 3146367894-0
                                                                                                • Opcode ID: 864b5d71082eb11a9eea1be1120905a6b343d7cff1e738c44fd65af63f7362e8
                                                                                                • Instruction ID: 005fa1998b1b6537c614c0e36ada71177ca0f6501a1d09c1ad7f1c5923eaf7a0
                                                                                                • Opcode Fuzzy Hash: 864b5d71082eb11a9eea1be1120905a6b343d7cff1e738c44fd65af63f7362e8
                                                                                                • Instruction Fuzzy Hash: C32108B5C002498FCB10CF9AC544ADEBBF4FF88320F14881ED869A7641D779A545CFA1
                                                                                                Function 00B2D670 Relevance: .1, Instructions: 75COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12972712140.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_b2d000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3c1c366a1cf85beb09339cd67cb72bf19b761b617f74cc231fde73d55868255f
                                                                                                • Instruction ID: 356e923550b1a04bfb73a832d5f5661a4dda5ad23103816e1ee6c4efb279da40
                                                                                                • Opcode Fuzzy Hash: 3c1c366a1cf85beb09339cd67cb72bf19b761b617f74cc231fde73d55868255f
                                                                                                • Instruction Fuzzy Hash: 5F21D675504240DFDB16DF14E9C4B26BFB6EB98324F34C5A9D80D0B256C33ADC55CAA2
                                                                                                Function 00B2D66B Relevance: .1, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12972712140.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_b2d000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6253c5000405f4e58d99a20437aea1be83a5a3c82490a8a3288676d7cef194d9
                                                                                                • Instruction ID: 8de69afcde1481d20a67223b5234406728f46f20e0a04237d0b32db9527fe8a1
                                                                                                • Opcode Fuzzy Hash: 6253c5000405f4e58d99a20437aea1be83a5a3c82490a8a3288676d7cef194d9
                                                                                                • Instruction Fuzzy Hash: 9711E976504280CFCB16CF10D9C4B16BFB2FB98314F24C5E9D8490B256C33AD856CB91
                                                                                                Function 00B2D006 Relevance: .0, Instructions: 47COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12972712140.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_b2d000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4e5974402149d1b9f249f681bf6b4bfaaec59b8be0566a51ef1286912112837d
                                                                                                • Instruction ID: 5b4da117ceaaf648a995aaf7256b051ba1b5b13586939cb4b35ea92afb459438
                                                                                                • Opcode Fuzzy Hash: 4e5974402149d1b9f249f681bf6b4bfaaec59b8be0566a51ef1286912112837d
                                                                                                • Instruction Fuzzy Hash: 3D014C6140D3D09FE7124B259C94652BFE8EF53224F1984DBE988CF1A3D2699C49CB72
                                                                                                Function 00B2D01D Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12972712140.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_b2d000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bc93aa24b297e851cae9c17436cce3b01bde28e3b9059903fe657fc66280ba2e
                                                                                                • Instruction ID: 65f50952206ecd37927f916680bc664a08b9b70943b9e2c85daae7a8a970fd87
                                                                                                • Opcode Fuzzy Hash: bc93aa24b297e851cae9c17436cce3b01bde28e3b9059903fe657fc66280ba2e
                                                                                                • Instruction Fuzzy Hash: 1301F7715043509AD7105E19DDC4B67BFD8EF45320F18C49ADD484B192C2799C45C6B2

                                                                                                Non-executed Functions

                                                                                                Function 00B8D568 Relevance: 1.6, Strings: 1, Instructions: 373COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000009.00000002.12973207968.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_9_2_b80000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: p#vq
                                                                                                • API String ID: 0-773265635
                                                                                                • Opcode ID: 9ed77a910bf974814a70adbf96820c9d40b32e052899f252a8a4b9739aa95684
                                                                                                • Instruction ID: 696e8c300119fd9256d13592c1eb223d3add108ccc968270a2ba844718a197d9
                                                                                                • Opcode Fuzzy Hash: 9ed77a910bf974814a70adbf96820c9d40b32e052899f252a8a4b9739aa95684
                                                                                                • Instruction Fuzzy Hash: 3BE15D31D1065A8FCB01DFA5C8405DEFBF1FF99310F25869AE415BB254EB31A986CB90

                                                                                                Execution Graph

                                                                                                Execution Coverage:7.9%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:6
                                                                                                Total number of Limit Nodes:0
                                                                                                execution_graph 25900 7ffcd6ed3642 25901 7ffcd6ef55b0 CreateNamedPipeW 25900->25901 25903 7ffcd6ef56e3 25901->25903 25904 7ffcd6ed80bc 25905 7ffcd6ed80bf SetProcessMitigationPolicy 25904->25905 25907 7ffcd6ed8152 25905->25907

                                                                                                Executed Functions

                                                                                                Function 00007FFCD71E03EB Relevance: .7, Instructions: 678COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 181c5e5675c92889ba316341984a89b338f120ac770ef1f349bfeb2faa6fac39
                                                                                                • Instruction ID: 3ace471c0bfa865d95a3a92382b249c740a53a7d58065fe51908d98969eb827b
                                                                                                • Opcode Fuzzy Hash: 181c5e5675c92889ba316341984a89b338f120ac770ef1f349bfeb2faa6fac39
                                                                                                • Instruction Fuzzy Hash: E6121361A0CA6F4FEB99E62D94516BD37D1EF59340FA442BBD05DCB183DC28E806C760
                                                                                                Function 00007FFCD71E5C91 Relevance: .6, Instructions: 569COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2c68793f3fa9a9fe45625aeecbcc53c441a4211b8242f63b78de1cf7ab5c46cd
                                                                                                • Instruction ID: 0b68a5213ec54d4f1402437b00ed1dde36a1a36ee156df8d6aab4961b6e49bcb
                                                                                                • Opcode Fuzzy Hash: 2c68793f3fa9a9fe45625aeecbcc53c441a4211b8242f63b78de1cf7ab5c46cd
                                                                                                • Instruction Fuzzy Hash: 4D022421A0C96F4BFBA99A2954552BC73D5EF94300F9402BAC46EC71C7DD28EC06C7A5
                                                                                                Function 00007FFCD6ED3642 Relevance: 1.7, APIs: 1, Instructions: 173pipeCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1718 7ffcd6ed3642-7ffcd6ef561a 1721 7ffcd6ef5624-7ffcd6ef56e1 CreateNamedPipeW 1718->1721 1722 7ffcd6ef561c-7ffcd6ef5621 1718->1722 1724 7ffcd6ef56e9-7ffcd6ef571c 1721->1724 1725 7ffcd6ef56e3 1721->1725 1722->1721 1725->1724
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.12992907988.00007FFCD6ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6ED0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd6ed0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateNamedPipe
                                                                                                • String ID:
                                                                                                • API String ID: 2489174969-0
                                                                                                • Opcode ID: 7b6e63cb8dcaf1580bafc5ff2337982731b858aeb1db0b079d103d7b0b7fc714
                                                                                                • Instruction ID: 774bee4b529d4ebc7a8f637f05ad8d7576dbf15dfab303b22615bc2e63f002b7
                                                                                                • Opcode Fuzzy Hash: 7b6e63cb8dcaf1580bafc5ff2337982731b858aeb1db0b079d103d7b0b7fc714
                                                                                                • Instruction Fuzzy Hash: CA518F7191CA1C8FDB68DF5C9845BA9B7E0FB69710F0442AEE04DD3251CB70A941CBC1
                                                                                                Function 00007FFCD6ED3AA2 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1727 7ffcd6ed3aa2-7ffcd6ed80fa 1730 7ffcd6ed80fc-7ffcd6ed8150 SetProcessMitigationPolicy 1727->1730 1731 7ffcd6ed8158-7ffcd6ed8187 1730->1731 1732 7ffcd6ed8152 1730->1732 1732->1731
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.12992907988.00007FFCD6ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6ED0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd6ed0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: MitigationPolicyProcess
                                                                                                • String ID:
                                                                                                • API String ID: 1088084561-0
                                                                                                • Opcode ID: 25f83f5a4927bb1bebe2fb8d5edab4887bce7eb295e7fd8e59e2d99907e5d024
                                                                                                • Instruction ID: 431c88d07c2d429d15d58134fb556911316c568fc2c4c15dc2bfb38a19c4ceec
                                                                                                • Opcode Fuzzy Hash: 25f83f5a4927bb1bebe2fb8d5edab4887bce7eb295e7fd8e59e2d99907e5d024
                                                                                                • Instruction Fuzzy Hash: FE21C33191CB188FEB18AF9DD84AAFA7BE0EB59711F00422FE049D3251DB70B845CB91
                                                                                                Function 00007FFCD6ED80BC Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1734 7ffcd6ed80bc-7ffcd6ed8150 SetProcessMitigationPolicy 1738 7ffcd6ed8158-7ffcd6ed8187 1734->1738 1739 7ffcd6ed8152 1734->1739 1739->1738
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.12992907988.00007FFCD6ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6ED0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd6ed0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: MitigationPolicyProcess
                                                                                                • String ID:
                                                                                                • API String ID: 1088084561-0
                                                                                                • Opcode ID: 28f7f7ed6a6290d284c4f89b63e4f8e813d5323290222099498fcca3917b5b1b
                                                                                                • Instruction ID: 8c607e800b3141f2dfa64e92d18dc555e16e36e2fb8443f7fb7c30586620af06
                                                                                                • Opcode Fuzzy Hash: 28f7f7ed6a6290d284c4f89b63e4f8e813d5323290222099498fcca3917b5b1b
                                                                                                • Instruction Fuzzy Hash: EA21C53191CB588FDB189F9DD84A5F97BE0EB55711F04412FE049D3252DB70A845CB92
                                                                                                Function 00007FFCD71E3EC3 Relevance: 1.6, Strings: 1, Instructions: 340COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1741 7ffcd71e3ec3-7ffcd71e3ed2 1743 7ffcd71e3ed4-7ffcd71e3edc 1741->1743 1744 7ffcd71e3e7c-7ffcd71e3e84 1741->1744 1745 7ffcd71e3e87-7ffcd71e3ec1 1743->1745 1748 7ffcd71e3ede-7ffcd71e3f8d call 7ffcd71e3b98 * 2 1743->1748 1744->1745 1745->1744 1763 7ffcd71e3fc9 1748->1763 1764 7ffcd71e3f8f-7ffcd71e3fbd 1748->1764 1765 7ffcd71e3fce-7ffcd71e3fdd 1763->1765 1766 7ffcd71e3fc4-7ffcd71e3fc7 1764->1766 1767 7ffcd71e3fdf-7ffcd71e3ff2 1765->1767 1766->1765 1768 7ffcd71e4004-7ffcd71e400c 1767->1768 1769 7ffcd71e3ff4-7ffcd71e3ffe 1767->1769 1771 7ffcd71e4141-7ffcd71e4149 1768->1771 1772 7ffcd71e4012-7ffcd71e401d 1768->1772 1769->1768 1770 7ffcd71e40b0-7ffcd71e40ba 1769->1770 1770->1771 1773 7ffcd71e40c0-7ffcd71e40e1 call 7ffcd71e0c30 * 2 1770->1773 1772->1767 1776 7ffcd71e401f-7ffcd71e4077 call 7ffcd71e3b30 1772->1776 1773->1771 1783 7ffcd71e40e3-7ffcd71e411a 1773->1783 1786 7ffcd71e414a-7ffcd71e417a 1776->1786 1787 7ffcd71e407d-7ffcd71e40ad 1776->1787 1783->1771 1788 7ffcd71e411c-7ffcd71e4139 1783->1788 1787->1770 1788->1771
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: H
                                                                                                • API String ID: 0-2852464175
                                                                                                • Opcode ID: 6d7beb365ec9e79561e0c012bdc64b1efbfde4d95cf1bb12b53886067d70a3c0
                                                                                                • Instruction ID: 8cdad1b8740f483509c6daeee2d344e859384f0468525083b20c5a296ddc35c1
                                                                                                • Opcode Fuzzy Hash: 6d7beb365ec9e79561e0c012bdc64b1efbfde4d95cf1bb12b53886067d70a3c0
                                                                                                • Instruction Fuzzy Hash: 52B1A334A0DA5A8FDB8DEB28C4956A977A1FF55304B2406FEC06DCF187CA35E846C790
                                                                                                Function 00007FFCD6ED808A Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1794 7ffcd6ed808a-7ffcd6ed809b 1795 7ffcd6ed809d-7ffcd6ed80b7 1794->1795 1796 7ffcd6ed80fc-7ffcd6ed8150 SetProcessMitigationPolicy 1794->1796 1795->1796 1797 7ffcd6ed8158-7ffcd6ed8187 1796->1797 1798 7ffcd6ed8152 1796->1798 1798->1797
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.12992907988.00007FFCD6ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD6ED0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd6ed0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID: MitigationPolicyProcess
                                                                                                • String ID:
                                                                                                • API String ID: 1088084561-0
                                                                                                • Opcode ID: 643207bb8d7b9cd34b6487a95ab9ce06a5ced07af3c14d866e9368e1b5ad7c2e
                                                                                                • Instruction ID: f5a6e42d13b37c6d9206e8576d2b9ef50c881880bf34201d0f55aa3bcdffbd4c
                                                                                                • Opcode Fuzzy Hash: 643207bb8d7b9cd34b6487a95ab9ce06a5ced07af3c14d866e9368e1b5ad7c2e
                                                                                                • Instruction Fuzzy Hash: E821D83191C7588FD715DFA8DC496E9BBF0EF55311F0442AFD085C3652C768A446CB51
                                                                                                Function 00007FFCD71E19D9 Relevance: .4, Instructions: 427COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9d7475a85a4942a3de0a29ae8e27c0f19eb508ebc5e857c62e7efa8a6e42f582
                                                                                                • Instruction ID: c977d1cb0949f3367749bc6b08f60be8d1c0f29348c63fc3d5e85ba815fbae5a
                                                                                                • Opcode Fuzzy Hash: 9d7475a85a4942a3de0a29ae8e27c0f19eb508ebc5e857c62e7efa8a6e42f582
                                                                                                • Instruction Fuzzy Hash: 0BC12462B08C5E4BFB99E61D9455ABD63D1FFA831070407BAC15EC7287ED24E802DB84
                                                                                                Function 00007FFCD71E4DC5 Relevance: .4, Instructions: 406COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e34dd05c617bc7e75ac4e3003854714368181342076162d5a409f2b4952dac84
                                                                                                • Instruction ID: d22ae96fe3db9192e298761ebcd90fd81fb209f4b20697c3bbe56f745b4eb426
                                                                                                • Opcode Fuzzy Hash: e34dd05c617bc7e75ac4e3003854714368181342076162d5a409f2b4952dac84
                                                                                                • Instruction Fuzzy Hash: 5EC13532A0C96E5BEB58EA2998524BD73D1EF55310B0403BBD85EC75C3EE28F806C791
                                                                                                Function 00007FFCD71E3DB0 Relevance: .3, Instructions: 310COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c08a8defc95ffff5be96a81c237869ded31e038cd0a2cc0850925ad4ab423906
                                                                                                • Instruction ID: 44aa39fdea42878605b88cfe0b103ce41a81fda716ac4f633e3e9a3f30d99b9e
                                                                                                • Opcode Fuzzy Hash: c08a8defc95ffff5be96a81c237869ded31e038cd0a2cc0850925ad4ab423906
                                                                                                • Instruction Fuzzy Hash: 3C71363171CB2E8BEB6C991D648A17D73C5EFA9321B00127FD45EC3246ED39E8438695
                                                                                                Function 00007FFCD71E7027 Relevance: .2, Instructions: 241COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 07d199f56f4f537d318cf0190e57517e41d45c6c5c790906796eb7d1cd6fdf6b
                                                                                                • Instruction ID: eabe559f8bdd25012b1e86bf5f838aa95a7e8e9c65d06b258a71488d1f3a4b80
                                                                                                • Opcode Fuzzy Hash: 07d199f56f4f537d318cf0190e57517e41d45c6c5c790906796eb7d1cd6fdf6b
                                                                                                • Instruction Fuzzy Hash: 7781B831E18A2F8AFB59E76584516BD62D6EF94344F64033BD06EC31C2DE38F842D660
                                                                                                Function 00007FFCD71E840D Relevance: .2, Instructions: 233COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 027953e753d7ae79a77aa5c844cb3bfc6a7b87d1b349de266133a48855b6ea6b
                                                                                                • Instruction ID: aa0a67b968391b24883b711990c0cef7e682573f8bb72c3ef59fd527affffb23
                                                                                                • Opcode Fuzzy Hash: 027953e753d7ae79a77aa5c844cb3bfc6a7b87d1b349de266133a48855b6ea6b
                                                                                                • Instruction Fuzzy Hash: 7A610532E0CE6D8BEB65EA69A8501FD77E1EF94310B04127BD02CC3292DF34A806C755
                                                                                                Function 00007FFCD71E275E Relevance: .2, Instructions: 185COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a1e1c4921412d991b73995743fbe4c27cbb374906604991d767851ac4cf2e9ca
                                                                                                • Instruction ID: 0b4bb8711461fb02e39664960de8662525e0380be7db96fcdef0b255267bccec
                                                                                                • Opcode Fuzzy Hash: a1e1c4921412d991b73995743fbe4c27cbb374906604991d767851ac4cf2e9ca
                                                                                                • Instruction Fuzzy Hash: B1519372A0CD5A8FEF88EA189465AA937D1FF69310F1401B9D45DCB287DE35EC42CB84
                                                                                                Function 00007FFCD71E131B Relevance: .1, Instructions: 145COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7f56101f0045c8d89554186f93a86cdc563e1f9f8eb5936b2b40fe1a104cab63
                                                                                                • Instruction ID: 3ff5ddcaaafe5fbebad0b5dd2387da66beba10e7c5276fa3736bf7477139f81e
                                                                                                • Opcode Fuzzy Hash: 7f56101f0045c8d89554186f93a86cdc563e1f9f8eb5936b2b40fe1a104cab63
                                                                                                • Instruction Fuzzy Hash: 71414D63E0D6AF9BE716A63D98B14FD7B50DF4236470803F7C1898B093ED25A40AD791
                                                                                                Function 00007FFCD71E5EA4 Relevance: .1, Instructions: 110COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0d93743411a38af3a2a7f484d45a784d60b76ce4af9a0d0fcb8aa26640939089
                                                                                                • Instruction ID: ef65efb27585ccd39c2567a737adc0218435680c5969c1ba098f9e2090d137d1
                                                                                                • Opcode Fuzzy Hash: 0d93743411a38af3a2a7f484d45a784d60b76ce4af9a0d0fcb8aa26640939089
                                                                                                • Instruction Fuzzy Hash: 3731E420A0C65B4FEB4ADB2858A56BC37A1EF56310F5806FAC15DCB1C7CD2CAC06C791
                                                                                                Function 00007FFCD71E85CA Relevance: .1, Instructions: 91COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1ad7bbd5c1471f13a5a2fa3da4ca1b0d7d21572d44c49b15ee59e06507c170d6
                                                                                                • Instruction ID: 8ccac774d898eea1574096156767a90eef0cc133b965a170a84ea313312e1f48
                                                                                                • Opcode Fuzzy Hash: 1ad7bbd5c1471f13a5a2fa3da4ca1b0d7d21572d44c49b15ee59e06507c170d6
                                                                                                • Instruction Fuzzy Hash: 80213A3150DAAD4FE755A73698105A97BE0FF89314B0403BBD09DC7192DF38E846C751
                                                                                                Function 00007FFCD71E25C0 Relevance: .1, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b85256186375d4e97e9e6d6c51a8d081caa74dc2c9faec49b273f3d8ab08915c
                                                                                                • Instruction ID: f665612107ab822533dde067d73e3066a415f46cb88e3918efb91ef283dd2f8d
                                                                                                • Opcode Fuzzy Hash: b85256186375d4e97e9e6d6c51a8d081caa74dc2c9faec49b273f3d8ab08915c
                                                                                                • Instruction Fuzzy Hash: AE21D671A0DE9A4FEB89DA19C8A49BD7791EF59304B1806FEC05D8B283CD24EC42CB50
                                                                                                Function 00007FFCD71E526D Relevance: .1, Instructions: 69COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3b1851e16b4c85da4aed277ffb7df81723e01afc45a0bedf2a0ed530557c2822
                                                                                                • Instruction ID: efa3c87b11505b2f50a30198446a868c9ed4fe71e78e50f0e22c8c78d6dff946
                                                                                                • Opcode Fuzzy Hash: 3b1851e16b4c85da4aed277ffb7df81723e01afc45a0bedf2a0ed530557c2822
                                                                                                • Instruction Fuzzy Hash: 4C11B171E0DA9E8BEF94EB655C961AC7FA0FF99300F0501ABD05DD3292DA30A802CB15
                                                                                                Function 00007FFCD71E280C Relevance: .1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e63db12fd8ea2dee02046bcb605c3b4ee8bd8319dfa27c3cd458d255b04f9e05
                                                                                                • Instruction ID: 7407a0019a10e7ff834c0323272be9ed7ef08f84f334078ba0a8c3610c9c51d1
                                                                                                • Opcode Fuzzy Hash: e63db12fd8ea2dee02046bcb605c3b4ee8bd8319dfa27c3cd458d255b04f9e05
                                                                                                • Instruction Fuzzy Hash: 35118E71A08D1A8FEA98EB18C460B6D73E1FF58300F1442B9C45DCB287CE39E842CB90
                                                                                                Function 00007FFCD71E2875 Relevance: .1, Instructions: 62COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 77c669ade5b9bd3288b216b353cd2bfc3c66eb58d638f8ad2b28b8608d51cb2e
                                                                                                • Instruction ID: e36150cbb4793e2771a1d985d5f8ad57b10b35e93bd2c40f10e92b641ef991fd
                                                                                                • Opcode Fuzzy Hash: 77c669ade5b9bd3288b216b353cd2bfc3c66eb58d638f8ad2b28b8608d51cb2e
                                                                                                • Instruction Fuzzy Hash: 03116071A18D5A4FEB88EB18C450B6977E1FF59304F1442E9C45DCB287CE39E846CB94
                                                                                                Function 00007FFCD71E4769 Relevance: .1, Instructions: 59COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e8bae80255b806c948f14460762aca45783c021935f7c7a91589ae08b6c499d4
                                                                                                • Instruction ID: 3e3fbe396cb1c0113275a932abca309159ab9afb8b9127b97a033fa8dc030c92
                                                                                                • Opcode Fuzzy Hash: e8bae80255b806c948f14460762aca45783c021935f7c7a91589ae08b6c499d4
                                                                                                • Instruction Fuzzy Hash: CE110614E0CA7B0BF769932A84A037D2AD1DF96300F1982BBD85DC61D2DD2CDC81D361
                                                                                                Function 00007FFCD71E5F2C Relevance: .0, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b54d17c21dc1df1b1e97babf9b4d49fc26bbe9e55c4f854ff6b44ca3a5b40400
                                                                                                • Instruction ID: 215189b33ccef8d63ce4e8ec79c03484c5482ddb37b7ad7cb51ff8530d96e4f9
                                                                                                • Opcode Fuzzy Hash: b54d17c21dc1df1b1e97babf9b4d49fc26bbe9e55c4f854ff6b44ca3a5b40400
                                                                                                • Instruction Fuzzy Hash: 64016730A0953F59FE9D9A1644A26BD12C9AF55305F88027ED86ECE1C7CE3CE804C2B1
                                                                                                Function 00007FFCD71E09B1 Relevance: .0, Instructions: 31COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c1da3d9a8da822b2c03ca87e764145d681c7699163c9cf08ce0b65fc3c84a204
                                                                                                • Instruction ID: 9a36ef2d94fe2423443b14a9aa47f526e75fcde8d33c20cff2a5ed44e89aa9f4
                                                                                                • Opcode Fuzzy Hash: c1da3d9a8da822b2c03ca87e764145d681c7699163c9cf08ce0b65fc3c84a204
                                                                                                • Instruction Fuzzy Hash: 30E0D82150F3D54FDB47AB38C4A88E53F60DE1735034941EBD485CF1B3E5148949C751
                                                                                                Function 00007FFCD71E3A89 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: db2738a3797ffa7ee52a8779253e8a249051d7883809da0c2d120011f2f01e3a
                                                                                                • Instruction ID: c8c6cd07b9c352fdd042aabb991a6f8178741b74302331ecdf2fa55294c1489e
                                                                                                • Opcode Fuzzy Hash: db2738a3797ffa7ee52a8779253e8a249051d7883809da0c2d120011f2f01e3a
                                                                                                • Instruction Fuzzy Hash: A3F0653550D69C5FCB82EB64E4558D57FB0EE56321B0901CBE05DCF053E7219A55CB82
                                                                                                Function 00007FFCD71E4780 Relevance: .0, Instructions: 24COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6f8e61fd792ddd2b6d949e91ea8954454137d47d51f94c2895c54e06e5879420
                                                                                                • Instruction ID: b9641f588f741f12845fffaba457e3c360af2a42404841576f4ff56fdb4c25e6
                                                                                                • Opcode Fuzzy Hash: 6f8e61fd792ddd2b6d949e91ea8954454137d47d51f94c2895c54e06e5879420
                                                                                                • Instruction Fuzzy Hash: 2AE08C25E0C63B02FB6C256668913BD60C58F06310F19417BA92EC00C1DD6CDC80D1A2
                                                                                                Function 00007FFCD71E835C Relevance: .0, Instructions: 15COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d183eaa49b4473a20611e11c9a699164583299b3cb9666bf500592ac886f1855
                                                                                                • Instruction ID: db4ea2735485b09d343257b906f4fcb5d95d317ad0cb0fc066b6003985cce27f
                                                                                                • Opcode Fuzzy Hash: d183eaa49b4473a20611e11c9a699164583299b3cb9666bf500592ac886f1855
                                                                                                • Instruction Fuzzy Hash: 50C04C11F5CC3D0AA594B55C3455BBC41C2D788661BA511F3E98CC228EDD195C8253C1
                                                                                                Function 00007FFCD71E4740 Relevance: .0, Instructions: 15COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c7183572114f50c7ee5640b63c4a578d75a9145a10810d95a63217562a64d0a7
                                                                                                • Instruction ID: b6f5d93735838b53f00fcf3812880c8b81c345b8cb5313a2b8a36be520cb3366
                                                                                                • Opcode Fuzzy Hash: c7183572114f50c7ee5640b63c4a578d75a9145a10810d95a63217562a64d0a7
                                                                                                • Instruction Fuzzy Hash: 04D02211D0E8AD8FEB80FF3C448902D23C4EFAA34871085BAE01CCB1D1D828A84D8390
                                                                                                Function 00007FFCD71E2914 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000A.00000002.13000706375.00007FFCD71E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCD71E0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_10_2_7ffcd71e0000_ScreenConnect.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5fcdc6a2d2271ed7f581b0e9604e4d707bed8d962b766b5e5285322056c83aa6
                                                                                                • Instruction ID: 8b379ca852b3b4ff7cdde06b5c98e11e16144aec90e185d8003e7cea3d088e42
                                                                                                • Opcode Fuzzy Hash: 5fcdc6a2d2271ed7f581b0e9604e4d707bed8d962b766b5e5285322056c83aa6
                                                                                                • Instruction Fuzzy Hash: ACC09B10E58D6F46F154EF25C45117D11526F8C301F504537D07D815C6CD3CA501ED55