Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuredOnedrive.ClientSetup.exe

Overview

General Information

Sample name:SecuredOnedrive.ClientSetup.exe
Analysis ID:1582217
MD5:58fe579f71dbeda2fd50c1b046b5f3ef
SHA1:84eeee9907009151ad5efc1074fb5db27bd2977a
SHA256:40cafa4d9e7220f582af1ecc2a4b0ea1ab4b3b76fd83a398a0ebb50eeb5fce7d
Infos:

Detection

ScreenConnect Tool
Score:66
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w11x64_office
  • SecuredOnedrive.ClientSetup.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe" MD5: 58FE579F71DBEDA2FD50C1B046B5F3EF)
    • msiexec.exe (PID: 7760 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi" MD5: FE653E9A818C22D7E744320F65A91C09)
  • msiexec.exe (PID: 7812 cmdline: C:\Windows\system32\msiexec.exe /V MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
    • msiexec.exe (PID: 7864 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CDC695C786B87D91944C325686561171 C MD5: FE653E9A818C22D7E744320F65A91C09)
      • rundll32.exe (PID: 7944 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIFF23.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4981171 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: A79FE1974156C5C9ED4331BF78D2DBB1)
      • MpCmdRun.exe (PID: 7944 cmdline: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe" -wdenable MD5: 7C8CFF40C38AB2F6B04DD3B02300FFE5)
        • conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • msiexec.exe (PID: 444 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6335C8719D19856AFEB05288D3114137 MD5: FE653E9A818C22D7E744320F65A91C09)
    • msiexec.exe (PID: 6416 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B464B350F906B2FB2D672B4A7BCB970B E Global\MSI0000 MD5: FE653E9A818C22D7E744320F65A91C09)
  • ScreenConnect.ClientService.exe (PID: 1324 cmdline: "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=e985b3b5-2d48-4579-950f-7cf7cea64711&k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 6168 cmdline: "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "edc17081-6a59-4efc-9fc6-c2cfd9657873" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • svchost.exe (PID: 1696 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 8EC922C7A58A8701AB481B7BE9644536)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuredOnedrive.ClientSetup.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Temp\~DF396F1F6BCFA4F979.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\SystemTemp\~DF3E7AF8623EFBA648.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF1EE28CC3FA69E8B2.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Temp\~DF705F767D6988847A.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.1357121023.0000000005AD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000024.00000002.3189241821.00000000026F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      Process Memory Space: SecuredOnedrive.ClientSetup.exe PID: 7700JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 2 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        36.2.ScreenConnect.WindowsClient.exe.276cee0.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          36.0.ScreenConnect.WindowsClient.exe.3c0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            0.2.SecuredOnedrive.ClientSetup.exe.5ad0000.7.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              0.0.SecuredOnedrive.ClientSetup.exe.945db0.2.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                0.2.SecuredOnedrive.ClientSetup.exe.5ad0000.7.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 3 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (f40cdcc9172e57c6) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7812, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-D15A-B6D70EA663B0}\(Default)
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 704, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, ProcessId: 1696, ProcessName: svchost.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: SecuredOnedrive.ClientSetup.exeVirustotal: Detection: 26%Perma Link
                                  Source: SecuredOnedrive.ClientSetup.exeReversingLabs: Detection: 23%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_03FD0E48 CryptProtectData,35_2_03FD0E48
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_03FD1631 CryptProtectData,35_2_03FD1631
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000023.00000002.3204060719.00000000027F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3189241821.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3188337642.0000000000D70000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3189048412.00000000026C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000023.00000000.2588041735.000000000066D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1360091571.0000000004F10000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: SecuredOnedrive.ClientSetup.exe, MSIE625.tmp.2.dr, MSIE355.tmp.2.dr, 4c07e0.msi.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 4c07de.msi.2.dr, 4c07df.rbs.2.dr, MSIE335.tmp.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000023.00000002.3204060719.00000000027F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: SecuredOnedrive.ClientSetup.exe, 4c07e0.msi.2.dr, MSIFF23.tmp.1.dr, ScreenConnect.ClientSetup.msi.0.dr, 4c07de.msi.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3188520857.0000000000DA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3188520857.0000000000DA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000023.00000002.3204060719.00000000027F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened: c:
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: instance-cb2j07-relay.screenconnect.com
                                  Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                                  Source: global trafficDNS traffic detected: DNS query: res.public.onecdn.static.microsoft
                                  Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
                                  Source: global trafficDNS traffic detected: DNS query: browser.events.data.msn.cn
                                  Source: svchost.exe, 00000026.00000003.2626285525.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087687332.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095647827.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                                  Source: svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723
                                  Source: svchost.exe, 00000026.00000003.2751597461.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd
                                  Source: svchost.exe, 00000026.00000003.2921467345.0000020C73681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2761467795.0000020C73681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                                  Source: svchost.exe, 00000026.00000002.3188257461.0000020C736CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbpose
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: svchost.exe, 00000026.00000002.3187750966.0000020C7364F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                  Source: svchost.exe, 00000026.00000002.3187703294.0000020C73633000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: svchost.exe, 00000026.00000003.3087163816.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasiDatan.o
                                  Source: svchost.exe, 00000026.00000003.2763803473.0000020C73176000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.o
                                  Source: svchost.exe, 00000026.00000003.3087163816.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2
                                  Source: svchost.exe, 00000026.00000003.3087641597.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087163816.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
                                  Source: svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3098700963.0000020C7317C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                                  Source: svchost.exe, 00000026.00000003.2639419884.0000020C7312D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
                                  Source: svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3098700963.0000020C7317C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                                  Source: svchost.exe, 00000026.00000003.3087641597.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdws/20
                                  Source: svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurixmlns:S
                                  Source: svchost.exe, 00000026.00000003.3111135912.0000020C73C1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                                  Source: svchost.exe, 00000026.00000003.2911730553.0000020C7310E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDp
                                  Source: svchost.exe, 00000026.00000003.3087641597.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2Data
                                  Source: svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2UTF-8
                                  Source: ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001C58000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.00000000019A9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001919000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001A7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://instance-cb2j07-relay.screenconnect.com:443/
                                  Source: ScreenConnect.ClientService.exe, 00000023.00000002.3185732442.0000000000B84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-cb2j07-relay.screenconnect.com:443/C
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: svchost.exe, 00000026.00000002.3186818033.0000020C728B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                                  Source: svchost.exe, 00000026.00000003.2763654201.0000020C73107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                                  Source: svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsofthttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.
                                  Source: svchost.exe, 00000026.00000003.3104367415.0000020C73197000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087687332.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3187449867.0000020C73137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095647827.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                                  Source: svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                                  Source: svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3086962579.0000020C7316C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2923741941.0000020C73169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2639726994.0000020C7316A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3099009354.0000020C73176000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                                  Source: svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scce
                                  Source: svchost.exe, 00000026.00000002.3187449867.0000020C73137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
                                  Source: svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scnnect
                                  Source: svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3086962579.0000020C7316C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2923741941.0000020C73169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2639726994.0000020C7316A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3099009354.0000020C73176000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                                  Source: svchost.exe, 00000026.00000002.3186818033.0000020C728B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                                  Source: svchost.exe, 00000026.00000002.3187502159.0000020C7315F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                                  Source: svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
                                  Source: ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: svchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/202733830568NFQXJP
                                  Source: rundll32.exe, 00000004.00000003.1351245655.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000004.00000003.1351245655.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000004.00000003.1351245655.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?0#
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C7312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iw
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                                  Source: svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.li0#
                                  Source: svchost.exe, 00000026.00000002.3187841428.0000020C73672000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105515248.0000020C73D23000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105722631.0000020C73D23000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3100091779.0000020C73CA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                                  Source: svchost.exe, 00000026.00000002.3187841428.0000020C73672000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3187551839.0000020C73600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C7312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                                  Source: svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf9524
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                                  Source: svchost.exe, 00000026.00000002.3187750966.0000020C7364F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                                  Source: svchost.exe, 00000026.00000002.3186818033.0000020C728B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3187750966.0000020C7364F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfLMEMX
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfLMEMXH
                                  Source: svchost.exe, 00000026.00000002.3187750966.0000020C7364F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfQ
                                  Source: svchost.exe, 00000026.00000002.3187750966.0000020C7364F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srftificate
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                                  Source: svchost.exe, 00000026.00000003.2622151651.0000020C73127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622151651.0000020C73127000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                                  Source: svchost.exe, 00000026.00000003.2622151651.0000020C73127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C7312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                                  Source: svchost.exe, 00000026.00000003.2621928659.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622012949.0000020C7316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C7312C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                                  Source: svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                                  Source: svchost.exe, 00000026.00000003.2622129796.0000020C73157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                                  Source: svchost.exe, 00000026.00000003.2622129796.0000020C73157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C7312C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp(
                                  Source: svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622800292.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srfce
                                  Source: svchost.exe, 00000026.00000002.3188557674.0000020C736F4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186818033.0000020C728B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087687332.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095647827.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                                  Source: svchost.exe, 00000026.00000003.3105597861.0000020C73CBF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105515248.0000020C73D23000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105722631.0000020C73D23000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3100091779.0000020C73CA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comwwCP=
                                  Source: svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                                  Source: svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf(
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                                  Source: svchost.exe, 00000026.00000003.2622151651.0000020C73127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
                                  Source: svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                                  Source: svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: SecuredOnedrive.ClientSetup.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_055025D0 CreateProcessAsUserW,35_2_055025D0
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c07de.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DF3E7AF8623EFBA648.TMPJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{7194EC79-79EF-CD38-454E-84482F62C93C}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DFB2A96BC841F890A8.TMPJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE335.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE355.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE625.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c07e0.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c07e0.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{7194EC79-79EF-CD38-454E-84482F62C93C}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{7194EC79-79EF-CD38-454E-84482F62C93C}\DefaultIconJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DF23B33A70C9B36438.TMPJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SystemTemp\~DF4FE358C48EE11916.TMPJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{7194EC79-79EF-CD38-454E-84482F62C93C}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\winms52x.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\winms52x.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\0q1zoelz.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\0q1zoelz.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\rshksykx.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\rshksykx.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\b3xcq4a4.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\b3xcq4a4.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\h3t4sb1c.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\h3t4sb1c.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\jwokyamq.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\jwokyamq.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\whi4mjsd.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\whi4mjsd.newcfgJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIE355.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_017CD56835_2_017CD568
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_0550004035_2_05500040
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_0550004035_2_05500040
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF95384049836_2_00007FF953840498
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF95384BB6836_2_00007FF95384BB68
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF95384A0AD36_2_00007FF95384A0AD
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF95384700836_2_00007FF953847008
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF95384961A36_2_00007FF95384961A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953B55C9136_2_00007FF953B55C91
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953B5000A36_2_00007FF953B5000A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953B5687B36_2_00007FF953B5687B
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953B56AD836_2_00007FF953B56AD8
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1350912245.0000000005830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1351594744.00000000058E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1351594744.00000000058E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1351594744.00000000058E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1335781638.00000000030E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1381722385.000000000AF19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1381722385.000000000AF19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000DBF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000DBF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1351275125.00000000058C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1357121023.0000000005C8C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1357121023.0000000005C8C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1357121023.0000000005C8C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1357121023.0000000005C8C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1370497139.0000000007CC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1370497139.0000000007CC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1370497139.0000000007CC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenamezlib.dll2 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenamewixca.dll\ vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.5830000.1.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.8963d4.5.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.91c3d4.4.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.91c3d4.4.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.91c3d4.4.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.91c3d4.4.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: classification engineClassification label: mal66.evad.winEXE@18/58@6/1
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5248:120:WilError_03
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: SecuredOnedrive.ClientSetup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIFF23.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4981171 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: SecuredOnedrive.ClientSetup.exeVirustotal: Detection: 26%
                                  Source: SecuredOnedrive.ClientSetup.exeReversingLabs: Detection: 23%
                                  Source: SecuredOnedrive.ClientSetup.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: SecuredOnedrive.ClientSetup.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile read: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe "C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe"
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDC695C786B87D91944C325686561171 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIFF23.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4981171 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe" -wdenable
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6335C8719D19856AFEB05288D3114137
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B464B350F906B2FB2D672B4A7BCB970B E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=e985b3b5-2d48-4579-950f-7cf7cea64711&k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM"
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "edc17081-6a59-4efc-9fc6-c2cfd9657873" "User"
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CDC695C786B87D91944C325686561171 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6335C8719D19856AFEB05288D3114137Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B464B350F906B2FB2D672B4A7BCB970B E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIFF23.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4981171 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "edc17081-6a59-4efc-9fc6-c2cfd9657873" "User"Jump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: cfgmgr32.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: virtdisk.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: smartscreenps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: shdocvw.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appidapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wscapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: appidapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_1_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: servicingcommon.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: version.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: virtdisk.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_1_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: virtdisk.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: systemsettings.datamodel.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cfgmgr32.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: structuredquery.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.system.launcher.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.staterepositorycore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.search.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: edputil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.web.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: certificate valid
                                  Source: SecuredOnedrive.ClientSetup.exeStatic file information: File size 5621992 > 1048576
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000023.00000002.3204060719.00000000027F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3189241821.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3188337642.0000000000D70000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3189048412.00000000026C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000023.00000000.2588041735.000000000066D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1360091571.0000000004F10000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: SecuredOnedrive.ClientSetup.exe, MSIE625.tmp.2.dr, MSIE355.tmp.2.dr, 4c07e0.msi.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 4c07de.msi.2.dr, 4c07df.rbs.2.dr, MSIE335.tmp.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: SecuredOnedrive.ClientSetup.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000023.00000002.3204060719.00000000027F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: SecuredOnedrive.ClientSetup.exe, 4c07e0.msi.2.dr, MSIFF23.tmp.1.dr, ScreenConnect.ClientSetup.msi.0.dr, 4c07de.msi.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3188520857.0000000000DA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3188520857.0000000000DA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000023.00000002.3204060719.00000000027F7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000024.00000002.3198333789.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: SecuredOnedrive.ClientSetup.exe
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.dc78ec.3.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.30e0000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: ScreenConnect.Client.dll.2.drStatic PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]
                                  Source: MSIFF23.tmp.1.drStatic PE information: real checksum: 0x2f213 should be: 0x1125d0
                                  Source: SecuredOnedrive.ClientSetup.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x56256d
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeCode function: 0_2_018670B0 push eax; mov dword ptr [esp], ecx0_2_018670C1
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeCode function: 0_2_01867FE7 push esp; ret 0_2_01867FF1
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_08037237 push eax; iretd 4_3_08037245
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_03FDDC4A push eax; retf 35_2_03FDDD29
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_054E0F6E pushad ; ret 35_2_054E0F73
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_054E0F61 push 48051117h; ret 35_2_054E0F6D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_05506BE0 push C3042E60h; ret 35_2_05506BF0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953840C60 push ebx; retf 36_2_00007FF95385098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF9538509D8 push ebx; retf 36_2_00007FF95385098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF9538508CD push ebx; retf 36_2_00007FF95385098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953841747 push ebx; retf 5F7Dh36_2_00007FF95384176A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953B51263 push ebx; iretd 36_2_00007FF953B5126A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeCode function: 36_2_00007FF953B51648 push ebx; ret 36_2_00007FF953B5165A

                                  Persistence and Installation Behavior

                                  barindex
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (f40cdcc9172e57c6)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-d15a-b6d70ea663b0}\inprocserver32
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE355.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE625.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE355.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE625.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f40cdcc9172e57c6)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: SecuredOnedrive.ClientSetup.exe, 00000000.00000002.1351594744.00000000058E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000004.00000003.1351021427.0000000005E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3189241821.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3188337642.0000000000D70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3206203996.000000001B602000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000002.3189048412.00000000026C2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: SecuredOnedrive.ClientSetup.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.Windows.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.4.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults dataJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 1820000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 6940000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 60E0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 7940000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 8940000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: 8BD0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMemory allocated: 17F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeMemory allocated: D20000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeMemory allocated: 1A6F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeWindow / User API: threadDelayed 2292Jump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE355.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE625.tmpJump to dropped file
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe TID: 7704Thread sleep count: 127 > 30Jump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe TID: 7704Thread sleep count: 64 > 30Jump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe TID: 7720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6584Thread sleep count: 108 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6956Thread sleep count: 62 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 7136Thread sleep count: 104 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6956Thread sleep count: 108 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6956Thread sleep count: 178 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6956Thread sleep count: 2292 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe TID: 6348Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW@t
                                  Source: svchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWnJ1o
                                  Source: svchost.exe, 00000026.00000003.3101614158.0000020C7315A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3100979059.0000020C73158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u1FDzd2WaMmYUdKO8/96lQ+y91jxxwqNuzvNTVyXuanMPqK2VUpQe2+elpact4JDGgvZ7G6gy3fbC+Pft5Ywslc0m5K5HI4fAPGqFpbHAYo+3ocvPOGDBOjwlBD10iMj2onSLe9n2PKn+BAbAOGGpqkV6XAXm82wk0Nu77pSFmdXa1/HDpfeD6nJWvQCjkK5eHpEqENAauTOKIRfM8aChGfStzAn6hfW72a+HcLNFQZFmViWzCjkgaUK5IMumxkhj4lEdLKCYTdYoW9pAupwLz7g2FLlNxYfIQGUldGUWbpVFTRCTRhNOFniBAutqRPMUKDtEAbJT7+k0kryYzICj+O02gZ8x/duILAmtp1gf2ar56TmPG+jvNxRLmX0AUL8lLTOC1q/kZ4w9DJ1Dx5RTs67ovDjGUZJ46Nrnd1qtF9YcXkbEaBaiOFehJ4DX/04/sCiphmrzSfZRWa/2CNAbSYOGdonmmepNCf1fS8nOAjRpN1DZBvrUpjW2WbYZcIkBN7kvAk5ZOSNElRbRlk4B5P+Zyo55C/B1Wc8FR/E0NtNOR384ZS3/rWcguXXcyglfK2aX/wtwPJiTN1yW0ZNQRt/tEE6B3tSZQd27SEhTO/t3X71C0qhVxSUW+AUzj1KR1Q3R8rVkIk4ZtAAvRPDwo019PfOrKHijaRzao9zqZ6kf3Sd6Tn5rwWOgS/u1eQNl8dCG9hc+gKpDbl9rOd7liCWHa/SgGvNU8hqLRv3oMIyZL2/xTnXbShgC0Fz7eGrniv+MJRkaBvBU7q5KxCdVhaHKP5y+K0TqTNo7Qr8XKgE3StxcfSSZSrfGW5vaPBo+XlCOSWp32t68LUN8++eegPbJYbLD8VD5X44+QZSkrNFfiQHCdA6V4V0gmR163SmhfHSA/QDS8WTfAi5nWAShTch+KlbrfOtpeP+Eyvh7ebdUwKOJLDe/Z5AZkJpAu/0mNgd5SagNLcy1lAh8LA54s1tZ15QYpkIWJEbLvY2iIHcXuXvm1LVaJYojMp1IxLoifTFNRlUrf7c/3lhxfv/Yg+hOVX1AMr3Zq1PnwvsOAUEOktXpcyo8PDRrzKyUsLDVUjSMHw+2T/xDJ08uEOwSF8/p7kCiw8QSrYr6x0mQ0doOYfpV+/oDamnLSfpalPAxHCfbtB9+rqwkrsgIC00l0pL+tm3Hs+vDdAShUrhl7TTl1j/7Ti66ewdVI047Rcz7qWtH/bV9MGShc5puPIsjzZRjyFwobb/C2dPKEgCBYJVfCIlrcb5qHpin0u5w/CzK9InlpohyBFSCkANIZn1I6BJJe9yPZ4UDAvITsr4cXBKuaBF5603O67ROr2VfM2FNbjEgSAL4o4bs8Zd+enCUaBExD5qhXbhl3BhQB9nsjA/xBzfVuDIF+wvdaedaKACvqClfzeptyybHz/8eNSLEeri1gtJ8aiQqF41a6Ig4YOG99Ys/XWe9FycgTDyLFPD+SuupiY2ozevmJz1u9fNm8XX3gAwIxfl2jMX+gsYb1KPOyKkEN9JQTgsqubdLq6JFGHnWNfNkDkC7OvVK0Zl/YzAuu3UNV9Tlb4zwZBKfGy3ftncQD6nSa/eL6nc2e8C9ZdquwopXGE1kcWNRi0q21Ec+kw6VapLHSR+/eAqZvc+Qq8bjD5BTY+LGpKgBHxthecSf5TQQSyWc/95UuXGILOkMiqs1VyX7fJLaNUEr1PmbLdco7yzHNXkkHLTtwbc6LCaFqpdRX8OBdMfiySLYoM0cVhmK4P7XKnLNbZZk/NQuSjcTzNUFyt5IYGE/lS1Zk2cTFKylwTAL3tTf0E+VgS5Vtt0Irk/Ey5z+82pXS8FETpEvSItMG2Mj1mTk1Jjcte2uuBX93aTONNgkG4RiiF6tjQ/0w3pwhDwStxgAjoEsFpIlS2LKBsrdPC2vw6tcwzS5WObdbffLMRpPH1QHJrGQTAFK7IrV3NK0mHE3U5gQ28yjqqN/LjJRnJVQHFa9OaCAuoEAtFtX6piR1udLsaGp+etcswho3E5KLTZDpR6JROZ0tqCvRjPv6TODiHPR5PBU4VROq/MnB4H/cN9sSKwqtrV9G1TRLE09kS++JBc/vyxp+joq5cmBm83FKACtKx7SwNy4K9K3Jj71NyelUNUtiam0uizflI+kjJnO6MYUN9Wt1qAS7TKFZJzcNCOJEXKaN7bHJg/H6CJ+S7hieX44EPdLFlUZgMO/lVBdSrHgk6sI8mgeKD2vtcuR1hagilskB+ppR9Sdy9KZALrMGNDt6Br4E5RuD0we8U1X5lFJSNyHlNxTbbRxBJivdGUa7gy74xG2PyKJBPVVEP/jLpA9c4Pe+gpOtYAOPByxzLXBLbeXebq6AGyacBBTTt9PBDVSIqM9N2HduDYUYuG+3kDryfQ0U92VpSDK4QPowC/6SDpUrPCCxdMR1yXCyhEO7hLrjUnizMokfhD93ulg+6qZIuyvbJHnRfGrKvVAhicIcfekoTm7iT9V/0cpQanMlTeCDXyl5WfyU8y/DXIOOH6kBfQrmqcyhMRaVqTcezhDmPRZnXMtAL1OWJPiuQ+EOZgH7PxiCIl0aialjCW2E/QiKu18HylK9dydSXyEC2jvBseDx3BvVdzAyRgoEAydlcmjmC0DpzTxYrRYqlnyPYBqy6h5v6i23guv1fpQVfrLaWDIDZ9JY3IOKdRUII7M9xqzXscMonhpxogMOHMugU4DPoQl+JYf3Cbdvsf4nvva6QNYhbZzSh8JwA+nSlv0vM4PtC2YkVkJ1SHCeNBCdzTx7gCUGNK6VhUEhkXAhuWUofvpXJSn6RgUqu2xk9O27pBy+R4jQ//vVQVKr3ecRbNrbJQX06SfqbEgSoaQG9ekvq0X/xKr/PuUfFamxeC+EE6D6WL8aA7pEkA9KeGeFo/Cf598JTMpnfVmprZ25T3LUvlDWRqGHhxlFrOmmJGeB8uxxfkntMuetKI8/YrnVUghFg9nqryg5AySOW/UfjwRpijqxMZ+Sbi
                                  Source: svchost.exe, 00000026.00000002.3187625992.0000020C7362B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
                                  Source: ScreenConnect.ClientService.exe, 00000023.00000002.3212078253.00000000043D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9
                                  Source: svchost.exe, 00000026.00000003.3100091779.0000020C73CBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u1FDzd2WaMmYUdKO8/96lQ+y91jxxwqNuzvNTVyXuanMPqK2VUpQe2+elpact4JDGgvZ7G6gy3fbC+Pft5Ywslc0m5K5HI4fAPGqFpbHAYo+3ocvPOGDBOjwlBD10iMj2onSLe9n2PKn+BAbAOGGpqkV6XAXm82wk0Nu77pSFmdXa1/HDpfeD6nJWvQCjkK5eHpEqENAauTOKIRfM8aChGfStzAn6hfW72a+HcLNFQZFmViWzCjkgaUK5IMumxkhj4lEdLKCYTdYoW9pAupwLz7g2FLlNxYfIQGUldGUWbpVFTRCTRhNOFniBAutqRPMUKDtEAbJT7+k0kryYzICj+O02gZ8x/duILAmtp1gf2ar56TmPG+jvNxRLmX0AUL8lLTOC1q/kZ4w9DJ1Dx5RTs67ovDjGUZJ46Nrnd1qtF9YcXkbEaBaiOFehJ4DX/04/sCiphmrzSfZRWa/2CNAbSYOGdonmmepNCf1fS8nOAjRpN1DZBvrUpjW2WbYZcIkBN7kvAk5ZOSNElRbRlk4B5P+Zyo55C/B1Wc8FR/E0NtNOR384ZS3/rWcguXXcyglfK2aX/wtwPJiTN1yW0ZNQRt/tEE6B3tSZQd27SEhTO/t3X71C0qhVxSUW+AUzj1KR1Q3R8rVkIk4ZtAAvRPDwo019PfOrKHijaRzao9zqZ6kf3Sd6Tn5rwWOgS/u1eQNl8dCG9hc+gKpDbl9rOd7liCWHa/SgGvNU8hqLRv3oMIyZL2/xTnXbShgC0Fz7eGrniv+MJRkaBvBU7q5KxCdVhaHKP5y+K0TqTNo7Qr8XKgE3StxcfSSZSrfGW5vaPBo+XlCOSWp32t68LUN8++eegPbJYbLD8VD5X44+QZSkrNFfiQHCdA6V4V0gmR163SmhfHSA/QDS8WTfAi5nWAShTch+KlbrfOtpeP+Eyvh7ebdUwKOJLDe/Z5AZkJpAu/0mNgd5SagNLcy1lAh8LA54s1tZ15QYpkIWJEbLvY2iIHcXuXvm1LVaJYojMp1IxLoifTFNRlUrf7c/3lhxfv/Yg+hOVX1AMr3Zq1PnwvsOAUEOktXpcyo8PDRrzKyUsLDVUjSMHw+2T/xDJ08uEOwSF8/p7kCiw8QSrYr6x0mQ0doOYfpV+/oDamnLSfpalPAxHCfbtB9+rqwkrsgIC00l0pL+tm3Hs+vDdAShUrhl7TTl1j/7Ti66ewdVI047Rcz7qWtH/bV9MGShc5puPIsjzZRjyFwobb/C2dPKEgCBYJVfCIlrcb5qHpin0u5w/CzK9InlpohyBFSCkANIZn1I6BJJe9yPZ4UDAvITsr4cXBKuaBF5603O67ROr2VfM2FNbjEgSAL4o4bs8Zd+enCUaBExD5qhXbhl3BhQB9nsjA/xBzfVuDIF+wvdaedaKACvqClfzeptyybHz/8eNSLEeri1gtJ8aiQqF41a6Ig4YOG99Ys/XWe9FycgTDyLFPD+SuupiY2ozevmJz1u9fNm8XX3gAwIxfl2jMX+gsYb1KPOyKkEN9JQTgsqubdLq6JFGHnWNfNkDkC7OvVK0Zl/YzAuu3UNV9Tlb4zwZBKfGy3ftncQD6nSa/eL6nc2e8C9ZdquwopXGE1kcWNRi0q21Ec+kw6VapLHSR+/eAqZvc+Qq8bjD5BTY+LGpKgBHxthecSf5TQQSyWc/95UuXGILOkMiqs1VyX7fJLaNUEr1PmbLdco7yzHNXkkHLTtwbc6LCaFqpdRX8OBdMfiySLYoM0cVhmK4P7XKnLNbZZk/NQuSjcTzNUFyt5IYGE/lS1Zk2cTFKylwTAL3tTf0E+VgS5Vtt0Irk/Ey5z+82pXS8FETpEvSItMG2Mj1mTk1Jjcte2uuBX93aTONNgkG4RiiF6tjQ/0w3pwhDwStxgAjoEsFpIlS2LKBsrdPC2vw6tcwzS5WObdbffLMRpPH1QHJrGQTAFK7IrV3NK0mHE3U5gQ28yjqqN/LjJRnJVQHFa9OaCAuoEAtFtX6piR1udLsaGp+etcswho3E5KLTZDpR6JROZ0tqCvRjPv6TODiHPR5PBU4VROq/MnB4H/cN9sSKwqtrV9G1TRLE09kS++JBc/vyxp+joq5cmBm83FKACtKx7SwNy4K9K3Jj71NyelUNUtiam0uizflI+kjJnO6MYUN9Wt1qAS7TKFZJzcNCOJEXKaN7bHJg/H6CJ+S7hieX44EPdLFlUZgMO/lVBdSrHgk6sI8mgeKD2vtcuR1hagilskB+ppR9Sdy9KZALrMGNDt6Br4E5RuD0we8U1X5lFJSNyHlNxTbbRxBJivdGUa7gy74xG2PyKJBPVVEP/jLpA9c4Pe+gpOtYAOPByxzLXBLbeXebq6AGyacBBTTt9PBDVSIqM9N2HduDYUYuG+3kDryfQ0U92VpSDK4QPowC/6SDpUrPCCxdMR1yXCyhEO7hLrjUnizMokfhD93ulg+6qZIuyvbJHnRfGrKvVAhicIcfekoTm7iT9V/0cpQanMlTeCDXyl5WfyU8y/DXIOOH6kBfQrmqcyhMRaVqTcezhDmPRZnXMtAL1OWJPiuQ+EOZgH7PxiCIl0aialjCW2E/QiKu18HylK9dydSXyEC2jvBseDx3BvVdzAyRgoEAydlcmjmC0DpzTxYrRYqlnyPYBqy6h5v6i23guv1fpQVfrLaWDIDZ9JY3IOKdRUII7M9xqzXscMonhpxogMOHMugU4DPoQl+JYf3Cbdvsf4nvva6QNYhbZzSh8JwA+nSlv0vM4PtC2YkVkJ1SHCeNBCdzTx7gCUGNK6VhUEhkXAhuWUofvpXJSn6RgUqu2xk9O27pBy+R4jQ//vVQVKr3ecRbNrbJQX06SfqbEgSoaQG9ekvq0X/xKr/PuUfFamxeC+EE6D6WL8aA7pEkA9KeGeFo/Cf598JTMpnfVmprZ25T3LUvlDWRqGHhxlFrOmmJGeB8uxxfkntMuetKI8/YrnVUghFg9nqryg5AySOW/UfjwRpijqxMZ+Sbi
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  .NET source code references suspicious native API functions
                                  Source: 0.0.SecuredOnedrive.ClientSetup.exe.dc78ec.3.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.5830000.1.raw.unpack, NativeLibrary.csReference to suspicious API methods: LoadLibrary(type, assemblyTypeHint)
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                                  Source: 0.2.SecuredOnedrive.ClientSetup.exe.58e0000.4.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (f40cdcc9172e57c6)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=e985b3b5-2d48-4579-950f-7cf7cea64711&k=bgiaaackaabsu0exaagaaaeaaqdx5hihfbq7xnz7ziur93mhza2t4colt7txcnjfouviknbizwl%2brlng8e7lnmyj3fs%2frdlvlbfu11xnjfh1nfsqr%2fz7wgklgi9m0nmzd1z9au%2fkkpmptn190fox94x6g%2bssvcnazzn2lrbb3le5vmwl7b9cvxu3oyskv%2fhb4lrazqrxpu%2bk%2b6yae74%2f2gcrhelmuoj7vqvtiya8y63drial69u%2bpybfgopfp4%2baifprp4zokdjucwgif2n%2f0km%2f2ncoazoh6morspbr3sp04g%2biar7xflzbi2y%2b6xuva8que%2baquznpu0qnkpivt86mq%2bz9ip8m9ikptevrx2mxrpjm"
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeQueries volume information: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exeCode function: 35_2_017C4C60 RtlGetVersion,35_2_017C4C60
                                  Source: C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: Yara matchFile source: SecuredOnedrive.ClientSetup.exe, type: SAMPLE
                                  Source: Yara matchFile source: 36.2.ScreenConnect.WindowsClient.exe.276cee0.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 36.0.ScreenConnect.WindowsClient.exe.3c0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.SecuredOnedrive.ClientSetup.exe.5ad0000.7.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.945db0.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.SecuredOnedrive.ClientSetup.exe.5ad0000.7.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.8963d4.5.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.91c3d4.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.SecuredOnedrive.ClientSetup.exe.880000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.1357121023.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000024.00000002.3189241821.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: SecuredOnedrive.ClientSetup.exe PID: 7700, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7944, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6168, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF396F1F6BCFA4F979.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\SystemTemp\~DF3E7AF8623EFBA648.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF1EE28CC3FA69E8B2.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF705F767D6988847A.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF6FB06F37CC3C3C50.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\SystemTemp\~DF23B33A70C9B36438.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\4c07df.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSIE335.tmp, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Valid Accounts                                  		1
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Disable or Modify Tools                                  		OS Credential Dumping11
                                  Peripheral Device Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		22
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomains1
                                  Replication Through Removable Media                                  		1
                                  Native API                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory1
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Application Layer Protocol                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts12
                                  Command and Scripting Interpreter                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Obfuscated Files or Information                                  		Security Account Manager14
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive2
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  Valid Accounts                                  		1
                                  Valid Accounts                                  		1
                                  Software Packing                                  		NTDS11
                                  Security Software Discovery                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		1
                                  Timestomp                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                  Bootkit                                  		2
                                  Windows Service                                  		1
                                  DLL Side-Loading                                  		Cached Domain Credentials31
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items12
                                  Process Injection                                  		1
                                  DLL Search Order Hijacking                                  		DCSync1
                                  Application Window Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  File Deletion                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                  Masquerading                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                                  Valid Accounts                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                  Modify Registry                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                  Access Token Manipulation                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers31
                                  Virtualization/Sandbox Evasion                                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job12
                                  Process Injection                                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                                  Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                                  Hidden Users                                  		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification
                                  Identify RolesWeb ServicesMasquerade as Legitimate ApplicationJavaScriptValid AccountsDynamic-link Library Injection1
                                  Bootkit                                  		Brute ForceCloud GroupsAttack PC via USB ConnectionEmail Forwarding RuleMulti-hop ProxyExfiltration Over Web ServiceEndpoint Denial of Service
                                  Gather Victim Host InformationServerlessDrive-By CompromiseNetwork Device CLIDefault AccountsPortable Executable Injection1
                                  Rundll32                                  		Password GuessingSystem Information DiscoveryExploitation of Remote ServicesClipboard DataDomain FrontingExfiltration to Code RepositoryOS Exhaustion Flood

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582217 Sample: SecuredOnedrive.ClientSetup.exe Startdate: 30/12/2024 Architecture: WINDOWS Score: 66 58 tse1.mm.bing.net 2->58 60 server-nixce85832f-relay.screenconnect.com 2->60 62 6 other IPs or domains 2->62 68 Multi AV Scanner detection for submitted file 2->68 70 .NET source code contains potential unpacker 2->70 72 .NET source code references suspicious native API functions 2->72 74 4 other signatures 2->74 9 msiexec.exe 94 51 2->9         started        13 ScreenConnect.ClientService.exe 17 17 2->13         started        16 SecuredOnedrive.ClientSetup.exe 5 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 48 ScreenConnect.Wind...dentialProvider.dll, PE32+ 9->48 dropped 50 C:\...\ScreenConnect.ClientService.exe, PE32 9->50 dropped 52 C:\Windows\Installer\MSIE625.tmp, PE32 9->52 dropped 54 9 other files (none is malicious) 9->54 dropped 76 Enables network access during safeboot for specific services 9->76 78 Modifies security policies related information 9->78 20 msiexec.exe 9->20         started        22 msiexec.exe 1 9->22         started        24 msiexec.exe 9->24         started        64 server-nixce85832f-relay.screenconnect.com 145.40.105.136, 443, 49839, 49841 BREEDBANDDELFTNL Netherlands 13->64 80 Reads the Security eventlog 13->80 82 Reads the System eventlog 13->82 26 ScreenConnect.WindowsClient.exe 2 13->26         started        84 Contains functionality to hide user accounts 16->84 29 msiexec.exe 8 16->29         started        file6 signatures7 process8 file9 32 rundll32.exe 10 20->32         started        36 MpCmdRun.exe 2 20->36         started        86 Contains functionality to hide user accounts 26->86 56 C:\Users\user\AppData\Local\...\MSIFF23.tmp, PE32 29->56 dropped signatures10 process11 file12 40 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 32->40 dropped 42 C:\...\ScreenConnect.InstallerActions.dll, PE32 32->42 dropped 44 C:\Users\user\...\ScreenConnect.Core.dll, PE32 32->44 dropped 46 4 other files (none is malicious) 32->46 dropped 66 Contains functionality to hide user accounts 32->66 38 conhost.exe 36->38         started        signatures13 process14

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  SecuredOnedrive.ClientSetup.exe26%VirustotalBrowse
                                  SecuredOnedrive.ClientSetup.exe24%ReversingLabsWin32.PUA.ConnectWise

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSIE355.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSIE625.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://schemas.microsofthttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0%Avira URL Cloudsafe
                                  http://docs.oasis-open.o0%Avira URL Cloudsafe
                                  http://instance-cb2j07-relay.screenconnect.com:443/C0%Avira URL Cloudsafe
                                  https://feedback.screenconnect.com/Feedback.axd0%Avira URL Cloudsafe
                                  http://docs.oasiDatan.o0%Avira URL Cloudsafe
                                  http://instance-cb2j07-relay.screenconnect.com:443/0%Avira URL Cloudsafe
                                  https://login.li0#0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  bg.microsoft.map.fastly.net
                                  		199.232.214.172
                                  		truefalse
                                    		high
                                    ax-0001.ax-msedge.net
                                    		150.171.27.10
                                    		truefalse
                                      		high
                                      server-nixce85832f-relay.screenconnect.com
                                      		145.40.105.136
                                      		truefalse
                                        		unknown
                                        assets.msn.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          browser.events.data.msn.cn
                                          		unknown
                                          		unknownfalse
                                            		high
                                            res.public.onecdn.static.microsoft
                                            		unknown
                                            		unknownfalse
                                              		high
                                              tse1.mm.bing.net
                                              		unknown
                                              		unknownfalse
                                                		high
                                                instance-cb2j07-relay.screenconnect.com
                                                		unknown
                                                		unknownfalse
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.misvchost.exe, 00000026.00000003.2763654201.0000020C73107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/scicysvchost.exe, 00000026.00000002.3187449867.0000020C73137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trustcesvchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.microsofthttp://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.2.drfalse
                                                                		high
                                                                https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf(svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://docs.oasis-open.osvchost.exe, 00000026.00000003.2763803473.0000020C73176000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3086962579.0000020C7316C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2923741941.0000020C73169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2639726994.0000020C7316A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3099009354.0000020C73176000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://account.live.com/inlinesignup.aspx?iwsvchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1351245655.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                                                        		high
                                                                        https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-svchost.exe, 00000026.00000003.3087641597.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087163816.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://Passport.NET/STSsvchost.exe, 00000026.00000003.2626285525.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087687332.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095647827.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000026.00000003.3111135912.0000020C73C1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://Passport.NET/tbposesvchost.exe, 00000026.00000002.3188257461.0000020C736CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2svchost.exe, 00000026.00000003.3087163816.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://docs.oasis-open.org/wss/2Datasvchost.exe, 00000026.00000003.3087641597.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000026.00000002.3187502159.0000020C7315F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://docs.oasis-open.org/wss/2UTF-8svchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://Passport.NET/tbsvchost.exe, 00000026.00000003.2921467345.0000020C73681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2761467795.0000020C73681000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3098700963.0000020C7317C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001852000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 00000026.00000003.2622151651.0000020C73127000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://signup.live.com/signup.aspxsvchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDpsvchost.exe, 00000026.00000003.2911730553.0000020C7310E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000026.00000003.3104367415.0000020C73197000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3087687332.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3187449867.0000020C73137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095647827.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/scnnectsvchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://account.live.com/InlineSignup.aspx?iww=1&amp;id=80502svchost.exe, 00000026.00000003.2622698561.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622643476.0000020C73141000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://instance-cb2j07-relay.screenconnect.com:443/ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001C58000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.00000000019A9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001919000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000023.00000002.3189969842.0000000001A7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1351245655.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                                                                                                                  		high
                                                                                                                                  https://account.live.com/msangcwamsvchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://crl.ver)svchost.exe, 00000026.00000002.3187703294.0000020C73633000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://passport.net/tbsvchost.exe, 00000026.00000002.3186818033.0000020C728B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/sccesvchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 00000026.00000002.3186554768.0000020C72840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:svchost.exe, 00000026.00000003.2639419884.0000020C7312D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsdsvchost.exe, 00000026.00000003.2751597461.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurixmlns:Ssvchost.exe, 00000026.00000003.3087318770.0000020C7316C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://wixtoolset.org/releases/rundll32.exe, 00000004.00000003.1351245655.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1351021427.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000026.00000003.2621831142.0000020C73129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622282906.0000020C73152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2621831142.0000020C7312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000026.00000003.3105458335.0000020C7313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3086962579.0000020C7316C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2923741941.0000020C73169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2639726994.0000020C7316A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3099009354.0000020C73176000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/202733830568NFQXJPsvchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000026.00000002.3186818033.0000020C728B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.2.drfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdws/20svchost.exe, 00000026.00000003.3087641597.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095323755.0000020C7316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3095484960.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://instance-cb2j07-relay.screenconnect.com:443/CScreenConnect.ClientService.exe, 00000023.00000002.3185732442.0000000000B84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://docs.oasiDatan.osvchost.exe, 00000026.00000003.3087163816.0000020C7316B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://login.li0#svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.2622170842.0000020C7313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000026.00000002.3186592771.0000020C7285C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://account.live.com/Wizard/Password/Change?0#svchost.exe, 00000026.00000003.2622611480.0000020C73140000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 00000026.00000002.3186520522.0000020C72829000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.3098700963.0000020C7317C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                Public IPs

                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                145.40.105.136
                                                                                                                                                                                		server-nixce85832f-relay.screenconnect.comNetherlands
                                                                                                                                                                                		34108BREEDBANDDELFTNLfalse

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                Analysis ID:1582217
                                                                                                                                                                                Start date and time:2024-12-30 04:02:12 +01:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 9m 18s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                                                                                                                                                Run name:Run with higher sleep bypass
                                                                                                                                                                                Number of analysed new started processes analysed:42
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Sample name:SecuredOnedrive.ClientSetup.exe
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal66.evad.winEXE@18/58@6/1
                                                                                                                                                                                EGA Information:
                                                                                                                                                                                • Successful, ratio: 50%
                                                                                                                                                                                HCA Information:
                                                                                                                                                                                • Successful, ratio: 72%
                                                                                                                                                                                • Number of executed functions: 162
                                                                                                                                                                                • Number of non-executed functions: 1
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): SecurityHealthHost.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe
                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 40.126.32.136, 20.190.160.20, 40.126.32.72, 40.126.32.138, 40.126.32.68, 20.190.160.22, 40.126.32.133, 20.190.160.17, 20.223.36.55, 2.23.209.52, 2.23.209.26, 2.23.209.59, 2.23.209.45, 2.23.209.36, 2.23.209.3, 2.23.209.20, 2.23.209.51, 23.212.90.75, 2.23.209.182, 2.23.209.130, 2.23.209.165, 2.23.209.149, 2.23.209.140, 2.23.209.187, 2.23.209.133, 20.189.173.9, 4.175.87.197, 40.69.42.241
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): onedscolprdwus08.westus.cloudapp.azure.com, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, res-ocdi-public.trafficmanager.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, otelrules.svc.static.microsoft, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, e28578.d.akamaiedge.net, www.bing.com, fd-api-iris.trafficmanager.net, assets.msn.com.edgekey.net, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, fd.api.iris.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, res-1.public.onecdn.static.microsoft.edgekey.net, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, mm-mm.bing.net.trafficmanager.net, global.asimov.events.data.trafficmanager.net, iris-de-prod-azsc-v2-neu-b.northeurope.clo
                                                                                                                                                                                • Execution Graph export aborted for target SecuredOnedrive.ClientSetup.exe, PID 7700 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target rundll32.exe, PID 7944 because it is empty
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                No simulations

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                145.40.105.136$RUX313H.exeGet hashmaliciousScreenConnect Tool NeshtaBrowse

                                                                                                                                                                                  Domains

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  ax-0001.ax-msedge.netinstaller64v3.2.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 150.171.28.10
                                                                                                                                                                                  https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 150.171.28.10
                                                                                                                                                                                  skript.batGet hashmaliciousVidarBrowse
                                                                                                                                                                                  • 150.171.28.10
                                                                                                                                                                                  ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                  • 150.171.28.10
                                                                                                                                                                                  vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 150.171.27.10
                                                                                                                                                                                  GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                  • 150.171.28.10
                                                                                                                                                                                  http://assets.website-files.com/65efffe8d4e10d26910f0543/65f65633ab8b2f021b357c18_64146967722.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 150.171.28.10
                                                                                                                                                                                  WCeE1A6Xyz.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                  • 150.171.27.10
                                                                                                                                                                                  eMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                  • 150.171.27.10
                                                                                                                                                                                  HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                  • 150.171.27.10
                                                                                                                                                                                  server-nixce85832f-relay.screenconnect.com$RUX313H.exeGet hashmaliciousScreenConnect Tool NeshtaBrowse
                                                                                                                                                                                  • 145.40.105.136
                                                                                                                                                                                  bg.microsoft.map.fastly.netdsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                  Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                  Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                  SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                  3KFFG52TBI.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                  a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                  tzA45NGAW4.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                  sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                  New Upd v1.1.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                  JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                  • 199.232.214.172

                                                                                                                                                                                  ASNs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  BREEDBANDDELFTNLxd.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                  • 145.36.168.250
                                                                                                                                                                                  nabmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 145.43.245.107
                                                                                                                                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                  • 145.32.35.137
                                                                                                                                                                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                  • 145.43.203.176
                                                                                                                                                                                  armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  • 145.41.61.230
                                                                                                                                                                                  IGz.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                  • 145.41.209.2
                                                                                                                                                                                  arm7.nn-20241213-0355.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                  • 145.43.183.140
                                                                                                                                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                  • 145.42.56.166
                                                                                                                                                                                  loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                  • 145.43.96.120

                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                  No context

                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                  C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dllNotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                    NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                      file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                        file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                                                                                                                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                                                                                                                                            dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                              dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                  estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                    C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dllNotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                      NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                        file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                                                                                                                                                            file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                                                                                                                                                              dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                  estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                    estatement020134230003.exe.virus.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                      C:\Config.Msi\4c07df.rbs

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):219531
                                                                                                                                                                                                                      Entropy (8bit):6.5819934048353845
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:E69LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGc:E6uH2aCGw1ST1wQLdqvc
                                                                                                                                                                                                                      MD5:424C004BF05F152D44A10655D87AF527
                                                                                                                                                                                                                      SHA1:112393D8FD09A3768BCB6436BADB4C7DBA6646DC
                                                                                                                                                                                                                      SHA-256:C2633BA4A2652D5C78CC2A1F5E9F4D5DEDA7DFF685A02CE84CC690F487263277
                                                                                                                                                                                                                      SHA-512:7D6B144FBC2F3F5B648F17232961B80F45A8B94CA23852987F6B95B02D5C80C3B2C312386E184213CF51F8687A4E0DC17D36092D3E57A7F5D881E03BE629A481
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\4c07df.rbs, Author: Joe Security
                                                                                                                                                                                                                      Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{7194EC79-79EF-CD38-454E-84482F62C93C}'.ScreenConnect Client (f40cdcc9172e57c6)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{7194EC79-79EF-CD38-454E-84482F62C93C}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (f40cdcc9172e57c6)......Rollback..Rolling back action: [1]....RollbackCleanup..Removing backup files File: [1]....ProcessComponents..Updating component registration..&.{F3F5E099-6EBE-0C3F-2261-B5C7F8C1CAEE}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{24139418-7B3F-A718-21A9-7B6042F6E38E}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{68BD4989-F8AD-BF77-90EC-79188BCD6689}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{30136DC6-9BF8-3798-D11E-EAEB284AA8B9}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{7DE967B9-6D28-1F0A-661A-7327220B1398}&.{7194EC79-79EF-CD38-454E-84482F62C93C}.@......&.{96E1AE58-35C4-800C-C551-0AB5E6E20551}&.{7194EC79-79EF-CD38-454E

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\Client.en-US.resources

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):50133
                                                                                                                                                                                                                      Entropy (8bit):4.759054454534641
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                                                                                                                                      MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                                                                                                                                      SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                                                                                                                                      SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                                                                                                                                      SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\Client.resources

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):26722
                                                                                                                                                                                                                      Entropy (8bit):7.7401940386372345
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                                                                                                                                      MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                                                                                                                                      SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                                                                                                                                      SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                                                                                                                                      SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Client.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):197120
                                                                                                                                                                                                                      Entropy (8bit):6.586775768189165
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                                                                                                                                                      MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                                                                                                                                                      SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                                                                                                                                                      SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                                                                                                                                                      SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                      • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):68096
                                                                                                                                                                                                                      Entropy (8bit):6.06942231395039
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                                                                                                                                                      MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                                                                                                                                                      SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                                                                                                                                                      SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                                                                                                                                                      SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                      • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      • Filename: estatement020134230003.exe.virus.exe, Detection: malicious, Browse
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):95512
                                                                                                                                                                                                                      Entropy (8bit):6.504684691533346
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                                                                                                                                                      MD5:75B21D04C69128A7230A0998086B61AA
                                                                                                                                                                                                                      SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                                                                                                                                                      SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                                                                                                                                                      SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Core.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):548864
                                                                                                                                                                                                                      Entropy (8bit):6.034211651049746
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                                                                                                                                      MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                                                                                                                                      SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                                                                                                                                      SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                                                                                                                                      SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.Windows.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1721856
                                                                                                                                                                                                                      Entropy (8bit):6.639085961200334
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                      MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                                                                                                                                      SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                                                                                                                                      SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                                                                                                                                      SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):260168
                                                                                                                                                                                                                      Entropy (8bit):6.416438906122177
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                                                                                                                                                      MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                                                                                                                                                      SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                                                                                                                                                      SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                                                                                                                                                      SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):61208
                                                                                                                                                                                                                      Entropy (8bit):6.310126082367387
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                                                                                                                                                      MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                                                                                                                                                      SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                                                                                                                                                      SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                                                                                                                                                      SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):602392
                                                                                                                                                                                                                      Entropy (8bit):6.176232491934078
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                                                                                                                                                      MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                                                                                                      SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                                                                                                                                                      SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                                                                                                                                                      SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):842248
                                                                                                                                                                                                                      Entropy (8bit):6.268561504485627
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                                                                                                                                                      MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                                                                                                                                                      SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                                                                                                                                                      SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                                                                                                                                                      SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):81688
                                                                                                                                                                                                                      Entropy (8bit):5.8618809599146005
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                                                                                                                                                      MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                                                                                                                                                      SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                                                                                                                                                      SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                                                                                                                                                      SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\app.config

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1777
                                                                                                                                                                                                                      Entropy (8bit):4.70680553867855
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:Oh95AfdH85AfdHH/dHS/dHjdH6dH/dHAdHadGHjdGHeGH3dHYOdHX:o92H82HVHeHZHUH1HyHlHgHNHtHDHX
                                                                                                                                                                                                                      MD5:A010CA07B19C21154177D245E78342B5
                                                                                                                                                                                                                      SHA1:3EE27D15FEC2098E8C4FBB4605F087A0FBD0E9AC
                                                                                                                                                                                                                      SHA-256:4528078B8513B04BE7CDE2EE067E353D90F1F2416E29F0B70816DDA33246BC1D
                                                                                                                                                                                                                      SHA-512:24DCF96DF91AFBEBB42A9DCEB5AD1724F5389A17FB3E3E4D9D561C5D401CCBC18D5814160A12E8FE66301F18F22B37DAE840F850304BB7632FFEA1988358993F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnHide" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnHide" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowSystemTrayIcon" serializeAs="String">.. <value>false

                                                                                                                                                                                                                      C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\system.config

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with very long lines (488), with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):978
                                                                                                                                                                                                                      Entropy (8bit):5.787685549884293
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24:2dL9hK6E4dl/5AuvO3rVE82sbVu7z43vH:chh7HH51G3BVVL3v
                                                                                                                                                                                                                      MD5:744B58801E892B340A7B27F2C0B0EA3B
                                                                                                                                                                                                                      SHA1:4612A4E5AE1D0CFE7B5F865E71FF059CC2867D19
                                                                                                                                                                                                                      SHA-256:B47280986E7ADC3396EA0A657601B7717653D1E44748EB1A042A2E38A1EE2BB1
                                                                                                                                                                                                                      SHA-512:5341082D08D0C1BA0FF3BADFD193C854BA9F197BB6B995ACAB61C52DEFB8FC3EA88A12A3BB90C81F9DF37ED728CC67BCDBFC5B3529C0BB4EF46B18B0B18539BB
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=instance-cb2j07-relay.screenconnect.com&amp;p=443&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1088392
                                                                                                                                                                                                                      Entropy (8bit):7.789940577622617
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                                                                                                                                                      MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                                                                                                                                                      SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                                                                                                                                                      SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                                                                                                                                                      SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\CustomAction.config

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):234
                                                                                                                                                                                                                      Entropy (8bit):4.977464602412109
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                                                                                                                                                      MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                                                                                                                                                      SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                                                                                                                                                      SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                                                                                                                                                      SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):49152
                                                                                                                                                                                                                      Entropy (8bit):4.62694170304723
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                                                                                                                                                      MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                                                                                                                                                      SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                                                                                                                                                      SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                                                                                                                                                      SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.Compression.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):36864
                                                                                                                                                                                                                      Entropy (8bit):4.340550904466943
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                                                                                                                                                      MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                                                                                                                                                      SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                                                                                                                                                      SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                                                                                                                                                      SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):57344
                                                                                                                                                                                                                      Entropy (8bit):4.657268358041957
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                                                                                                                                                      MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                                                                                                                                                      SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                                                                                                                                                      SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                                                                                                                                                      SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):176128
                                                                                                                                                                                                                      Entropy (8bit):5.775360792482692
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                                                                                                                                                      MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                                                                                                                                                      SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                                                                                                                                                      SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                                                                                                                                                      SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Core.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):548864
                                                                                                                                                                                                                      Entropy (8bit):6.034211651049746
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                                                                                                                                      MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                                                                                                                                      SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                                                                                                                                      SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                                                                                                                                      SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.InstallerActions.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):11776
                                                                                                                                                                                                                      Entropy (8bit):5.273875899788767
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                                                                                                                                                      MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                                                                                                                                                      SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                                                                                                                                                      SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                                                                                                                                                      SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MSIFF23.tmp-\ScreenConnect.Windows.dll

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1721856
                                                                                                                                                                                                                      Entropy (8bit):6.639085961200334
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                      MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                                                                                                                                      SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                                                                                                                                      SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                                                                                                                                      SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7194EC79-79EF-CD38-454E-84482F62C93C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9920512
                                                                                                                                                                                                                      Entropy (8bit):7.960979464014877
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:98304:pwJ4t1h0cG5FGJRPxow8OnwJ4t1h0cG5KwJ4t1h0cG5UwJ4t1h0cG5MwJ4t1h0cW:WWh0cGwOWh0cGRWh0cGHWh0cG/Wh0cG
                                                                                                                                                                                                                      MD5:82880DDDD1A2D09B1C624A466E66A4E0
                                                                                                                                                                                                                      SHA1:F2F01FB246D0558FA67626797B6D760C296B865D
                                                                                                                                                                                                                      SHA-256:517F338BFAE7DA39C2EAE61F559B433D05A719893762D6A7076D18D21FE036FB
                                                                                                                                                                                                                      SHA-512:00842BFCD27FE03A2765FD29E33611E6651424DD609E0FEE3D4738DCA074BE2CEF7D94F0F8A2EF8F92E3DA8F418C0F775B65876763A44885C2236A20D311F110
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>.......................................................|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\4c07de.msi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7194EC79-79EF-CD38-454E-84482F62C93C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9920512
                                                                                                                                                                                                                      Entropy (8bit):7.960979464014877
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:98304:pwJ4t1h0cG5FGJRPxow8OnwJ4t1h0cG5KwJ4t1h0cG5UwJ4t1h0cG5MwJ4t1h0cW:WWh0cGwOWh0cGRWh0cGHWh0cG/Wh0cG
                                                                                                                                                                                                                      MD5:82880DDDD1A2D09B1C624A466E66A4E0
                                                                                                                                                                                                                      SHA1:F2F01FB246D0558FA67626797B6D760C296B865D
                                                                                                                                                                                                                      SHA-256:517F338BFAE7DA39C2EAE61F559B433D05A719893762D6A7076D18D21FE036FB
                                                                                                                                                                                                                      SHA-512:00842BFCD27FE03A2765FD29E33611E6651424DD609E0FEE3D4738DCA074BE2CEF7D94F0F8A2EF8F92E3DA8F418C0F775B65876763A44885C2236A20D311F110
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>.......................................................|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\4c07e0.msi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7194EC79-79EF-CD38-454E-84482F62C93C}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):9920512
                                                                                                                                                                                                                      Entropy (8bit):7.960979464014877
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:98304:pwJ4t1h0cG5FGJRPxow8OnwJ4t1h0cG5KwJ4t1h0cG5UwJ4t1h0cG5MwJ4t1h0cW:WWh0cGwOWh0cGRWh0cGHWh0cG/Wh0cG
                                                                                                                                                                                                                      MD5:82880DDDD1A2D09B1C624A466E66A4E0
                                                                                                                                                                                                                      SHA1:F2F01FB246D0558FA67626797B6D760C296B865D
                                                                                                                                                                                                                      SHA-256:517F338BFAE7DA39C2EAE61F559B433D05A719893762D6A7076D18D21FE036FB
                                                                                                                                                                                                                      SHA-512:00842BFCD27FE03A2765FD29E33611E6651424DD609E0FEE3D4738DCA074BE2CEF7D94F0F8A2EF8F92E3DA8F418C0F775B65876763A44885C2236A20D311F110
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>.......................................................|...s...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\MSIE335.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):423615
                                                                                                                                                                                                                      Entropy (8bit):6.577810162810572
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:fuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvd:fuH2anwohwQUv5uH2anwohwQUvd
                                                                                                                                                                                                                      MD5:C21274C4F77561BF20C37CB9C4D2B0F4
                                                                                                                                                                                                                      SHA1:07F3269BDA2B1FCF2CA5324484DF9191AA9479D3
                                                                                                                                                                                                                      SHA-256:9F45BCC8421F5DCC4DDD30A77ED6F466CD3F500E669E61724D73FCE7D15ED195
                                                                                                                                                                                                                      SHA-512:F85E00BDB9085BFCCCC1E4F9F16CEC9A58A9A3BCC6A7A2062A2BACF666321A07D255C5829676C4AFE7D24BEF51ECFF218B9606B25C23564DEF8E38F08F77A52E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSIE335.tmp, Author: Joe Security
                                                                                                                                                                                                                      Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{7194EC79-79EF-CD38-454E-84482F62C93C}'.ScreenConnect Client (f40cdcc9172e57c6)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{7194EC79-79EF-CD38-454E-84482F62C93C}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (f40cdcc9172e57c6)......Rollback..Rolling back action: [1]....RollbackCleanup..Removing backup files File: [1].....@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F3F5E099-6EBE-0C3F-2261-B5C7F8C1CAEE}^.C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{24139418-7B3F-A718-21A9-7B6042F6E38E}f.C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{68BD4989-F8AD-BF77-90EC-79188BCD6689}c.C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsFile

                                                                                                                                                                                                                      C:\Windows\Installer\MSIE355.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):207360
                                                                                                                                                                                                                      Entropy (8bit):6.573348437503042
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                                                                                                                                      MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                                                                                                                                      SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                                                                                                                                      SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                                                                                                                                      SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\MSIE625.tmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):207360
                                                                                                                                                                                                                      Entropy (8bit):6.573348437503042
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                                                                                                                                      MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                                                                                                                                      SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                                                                                                                                      SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                                                                                                                                      SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{7194EC79-79EF-CD38-454E-84482F62C93C}

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.17179960098259
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:JSbX72FjGaAGiLIlHVRpIh/7777777777777777777777777vDHFqbcjp7rl0i8Q:JXQI5w7AF
                                                                                                                                                                                                                      MD5:930761278D295D2B97E46ED377AA1873
                                                                                                                                                                                                                      SHA1:83F9D9FB4DD62B5CA43ECBFF74D3B9040B5D3B40
                                                                                                                                                                                                                      SHA-256:DDEA89E793B5419D7176F85D82D1C001199050F2AC57E6580D982E9E0F3F918D
                                                                                                                                                                                                                      SHA-512:F0591BF0B4FCFBEA5E36A4E4E8DB96734DB21B31DE1EDEBB9E6DEEC062348757E730B82D07A370CE8060C3D57620B7E811BB4FC5B5325828198B7DE4EB45446F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.8111634031164352
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:B8PhMuRc06WXzuFT5FBBPqcq56Adu/CSidzKDduQkE7usWC/ViTEl5kar2Adu/C0:chM1zFTbiprf0DdfH7rWCQQ4M0
                                                                                                                                                                                                                      MD5:17832EDE8B389C0F8AB7B75C758A3874
                                                                                                                                                                                                                      SHA1:93A76471534D1C6B043F3C3E7768344A9EE130C8
                                                                                                                                                                                                                      SHA-256:CAB9A9BC294EF82190278A673F55200C869CB258855EBD77633C13779C65D0CB
                                                                                                                                                                                                                      SHA-512:1D7DE3870200CAFDC4B00263105BB6E0C438E20324253749C227F2C7382032AEB2D5D130BE7E3313147F852DE963A8A400B306F7E41C84E1BAC4F91283CE3CBC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Installer\{7194EC79-79EF-CD38-454E-84482F62C93C}\DefaultIcon

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):435
                                                                                                                                                                                                                      Entropy (8bit):5.289734780210945
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                                                                                                                                                      MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                                                                                                                                                      SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                                                                                                                                                      SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                                                                                                                                                      SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):322696
                                                                                                                                                                                                                      Entropy (8bit):5.35600090348811
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:1536:20IrcGd8a0CSyYtuuWOuklGXgiejy3QLYqc0Aj2CYWtTDnGWaW8LHHLORWK20iKm:CpI1crNruzmTgMAYeNf
                                                                                                                                                                                                                      MD5:746348E3E28E26678A062587A4ACF042
                                                                                                                                                                                                                      SHA1:5F4124C50636050057B0E8A4C11C99F758F928B5
                                                                                                                                                                                                                      SHA-256:226982D069ADFE766DD017193FBEB0D99078BB4983C8290FE8364714CF6B9A92
                                                                                                                                                                                                                      SHA-512:B0B80C61E328FCADA9E155BD91418F77509C562F1B50240C10235AD6B3A1F0B032C03386962051244CCE50C70D348A11C38398BF0C53F1062D8FF82006DA951A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..05/07/2022 07:40:26.485 [3724]: Command line: D:\wd\compilerTemp\BMT.ijbjbjy2.cay\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..05/07/2022 07:40:26.516 [3724]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..05/07/2022 07:40:26.547 [3724]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..05/07/2022 07:40:26.547 [3724]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..05/07/2022 07:40:26.547 [

                                                                                                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                      Size (bytes):2542
                                                                                                                                                                                                                      Entropy (8bit):3.273538349800533
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:24:Oaq/8+4F3rb3+kWReHrgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVN:OaqUv7b3+AHEHdKoqKFxcxkF2
                                                                                                                                                                                                                      MD5:2CB3000E703C98202AD81F5D24761672
                                                                                                                                                                                                                      SHA1:EAD938F5CF54F1BCB0E09E9F201003E12D375961
                                                                                                                                                                                                                      SHA-256:C70F70533F4D25CAF50924F3335DC56F37D25E6D97331A98D2A8125A41A85788
                                                                                                                                                                                                                      SHA-512:D6DCBA214371D72A042F6FAA29EA8BCF9D2C936BC0DB180930BCD8DF0D973387CADC39E388B9DA2F315F4852D5BBA89971888BB8DE923071A6C16AC928B02A1D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.P.l.a.t.f.o.r.m.\.4...1.8...2.4.0.9.0...1.1.-.0.\.M.p.C.m.d.R.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. D.e.c. .. 2.9. .. 2.0.2.4. .2.2.:.0.4.:.0.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.(.0.x.5.).:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\0q1zoelz.newcfg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.035237597863963
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vT/vXbAa3xT:2dL9hK6E46YPRj6YvH
                                                                                                                                                                                                                      MD5:20AE298219639299D75F34A226DEB718
                                                                                                                                                                                                                      SHA1:AB030543710810BC56DE8C45FEEA3BC67DBE9B5B
                                                                                                                                                                                                                      SHA-256:CB2544525AE69B70C91B716BCD1224C5252820BAD79A87B967465A6D1A4C0CD1
                                                                                                                                                                                                                      SHA-512:F5AA4467EC9BB5C084297E467FD30590A0748782BCFCB9186EE8270201BE28E396A4A5F780338CB1F95DA9FA08FBF6D184FEB86C93281A3FB778C38595F156E9
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a05%3a16</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\b3xcq4a4.newcfg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.032926395943882
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vE/vXbAa3xT:2dL9hK6E46YPRj6lvH
                                                                                                                                                                                                                      MD5:165473DD91F16557FBA8E6D2E2E5FC4A
                                                                                                                                                                                                                      SHA1:36475513D2E9BAE296EC83975AD6665AD96417E4
                                                                                                                                                                                                                      SHA-256:45FBC1ACF4120817AF14C4061FAB753977717F1FE8102180CC90B1AE37FEA9C0
                                                                                                                                                                                                                      SHA-512:60772755989C47D1C3D8861B8B62CAA4B70B0C68632C6EFF5DEB9C64DAC76942F2FDE8309B27F62E0079CB051BA3E3B83AAB14A21D7A2A3B8A3C763A5DFCA36F
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a05%3a24</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\h3t4sb1c.newcfg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.032513447362367
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vyO/vXbAa3xT:2dL9hK6E46YPRj6CvH
                                                                                                                                                                                                                      MD5:D629029B6DAE660F950067B7D25604F7
                                                                                                                                                                                                                      SHA1:BF7D8410F2620025F5A65C25C1FEEDDF608BC8D9
                                                                                                                                                                                                                      SHA-256:678FF1F268D062BDD8017E6391A398417C2E69827DAFB2294A6DDA4B274A64B4
                                                                                                                                                                                                                      SHA-512:AEEE05D81E64C302DFB4EC4B2F071D5457241A58EFA01A0FD1E7644D9B635EFBB0C0910DEFDD6E0F72122B902F06154F3170B985B5E3AA63CA7388D4280AD29B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a05%3a32</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\jwokyamq.newcfg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.032926395943882
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vk/vXbAa3xT:2dL9hK6E46YPRj6xvH
                                                                                                                                                                                                                      MD5:9925BA94923BFADE325D08C3CA5DCA57
                                                                                                                                                                                                                      SHA1:BA00B898FABB6B22EC1A3BF9A566761602C4DF14
                                                                                                                                                                                                                      SHA-256:BF8587FE27ADEF9492CCD6E26A16BC4778263E16803FCB185A64223CF8B6F3F1
                                                                                                                                                                                                                      SHA-512:7CCD4C01FA42A6339CB88B581ECA9E7F5721CDF97110E7B9E247C5FB847DED7C62434760F9C63E0A22015031C5AD3609704B3A5953524C6C427439863B2D7430
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a05%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\rshksykx.newcfg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.035237597863963
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5v3w/vXbAa3xT:2dL9hK6E46YPRj6ZvH
                                                                                                                                                                                                                      MD5:604AE3BD73BD38A1CAC6CE0BB5DC4E23
                                                                                                                                                                                                                      SHA1:27EFC5D7E2BD2A0C8AD75ED8478A836A17E07C5D
                                                                                                                                                                                                                      SHA-256:8941F1573FDEE319E570852C5EB9D08BF77DF138C971219C606BE8BE83BF3B0A
                                                                                                                                                                                                                      SHA-512:1A1DD1A9CD8DB1A3A5B40C20A44EF4DC3CD62C1EA58ABF7CCBC736BFE2B3F248D4FDA0FF09A8A310ACB73A611AB2B4EDC7816B984E0881868C004399EC2DEE76
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a05%3a19</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\user.config (copy)

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.033279910637079
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vf5/vXbAa3xT:2dL9hK6E46YPRj6aRvH
                                                                                                                                                                                                                      MD5:80CC6B9A0C1E69A2FFDAFBEF8C80B6A1
                                                                                                                                                                                                                      SHA1:55EF33738F591FD1BC824AF453B1C72C518C404D
                                                                                                                                                                                                                      SHA-256:D0B5D7A5F06C3BB7ACFE867E43E280E003C94FA842951CBD487905A827CF2348
                                                                                                                                                                                                                      SHA-512:158CFB3D91157051C3CB3CEA7F62DE80D1A2291D2B26998BF6A634E5531EC50BEC75E35E9E1DDB438113BD5B5208E9439A12646CF1D2AD2A7A5D818D2A21C9D0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a05%3a14</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\whi4mjsd.newcfg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.030543080472885
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5v+e/vXbAa3xT:2dL9hK6E46YPRj6svH
                                                                                                                                                                                                                      MD5:74F3B8A952CEBCF1B7581D11FCD71D35
                                                                                                                                                                                                                      SHA1:77341317146934020C5DF80EB96442567370A131
                                                                                                                                                                                                                      SHA-256:30932332641FBBB8E3F0261CF6AA8CFA77440F7F79A4F80CD42866159FF64D52
                                                                                                                                                                                                                      SHA-512:1595C5623650A1FF068941C09D482288E136860E340BA6C112475E8EDB4B07217A8F5B2DD02E1D552CED72CAD1AED1830BBB656EA411BBC2594F328A8D41EED1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a06%3a00</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f40cdcc9172e57c6)\winms52x.newcfg

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):585
                                                                                                                                                                                                                      Entropy (8bit):5.033279910637079
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlC26S5vf5/vXbAa3xT:2dL9hK6E46YPRj6aRvH
                                                                                                                                                                                                                      MD5:80CC6B9A0C1E69A2FFDAFBEF8C80B6A1
                                                                                                                                                                                                                      SHA1:55EF33738F591FD1BC824AF453B1C72C518C404D
                                                                                                                                                                                                                      SHA-256:D0B5D7A5F06C3BB7ACFE867E43E280E003C94FA842951CBD487905A827CF2348
                                                                                                                                                                                                                      SHA-512:158CFB3D91157051C3CB3CEA7F62DE80D1A2291D2B26998BF6A634E5531EC50BEC75E35E9E1DDB438113BD5B5208E9439A12646CF1D2AD2A7A5D818D2A21C9D0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-cb2j07-relay.screenconnect.com=145.40.105.136-30%2f12%2f2024%2003%3a05%3a14</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                      C:\Windows\SystemTemp\~DF23B33A70C9B36438.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.8111634031164352
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:B8PhMuRc06WXzuFT5FBBPqcq56Adu/CSidzKDduQkE7usWC/ViTEl5kar2Adu/C0:chM1zFTbiprf0DdfH7rWCQQ4M0
                                                                                                                                                                                                                      MD5:17832EDE8B389C0F8AB7B75C758A3874
                                                                                                                                                                                                                      SHA1:93A76471534D1C6B043F3C3E7768344A9EE130C8
                                                                                                                                                                                                                      SHA-256:CAB9A9BC294EF82190278A673F55200C869CB258855EBD77633C13779C65D0CB
                                                                                                                                                                                                                      SHA-512:1D7DE3870200CAFDC4B00263105BB6E0C438E20324253749C227F2C7382032AEB2D5D130BE7E3313147F852DE963A8A400B306F7E41C84E1BAC4F91283CE3CBC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\SystemTemp\~DF23B33A70C9B36438.TMP, Author: Joe Security
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\SystemTemp\~DF3E7AF8623EFBA648.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                      Entropy (8bit):0.23840872873091967
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:PYUtdDBAdu/CS3qcq56Adu/CSidzKDduQkE7usWC/ViTEl5karN7B:ghxprf0DdfH7rWCQQ4y
                                                                                                                                                                                                                      MD5:F792A66F860531291FFFB6E7BFE9B930
                                                                                                                                                                                                                      SHA1:8960D700BA8B5C1CD6A9D07E30F071888864EC4C
                                                                                                                                                                                                                      SHA-256:C8B00C14B6398183F9BBACB6182B15146BBA154B44996846D338AB3BB8670A65
                                                                                                                                                                                                                      SHA-512:EE6D0A41229D5F79C4A475761C7EE00C5ECAD83A17A186063BEAF3A9FDDF2E0D2FA4DA0E02B65A5E8A309892D29B535B846551B3100D30B64D2B63FAD29D3B32
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\SystemTemp\~DF3E7AF8623EFBA648.TMP, Author: Joe Security
                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\SystemTemp\~DF4FE358C48EE11916.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\SystemTemp\~DFB2A96BC841F890A8.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):0.07737110662085729
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOgDbXsTHZqjSKChiVky6l51:2F0i8n0itFzDHFqbcjp7r
                                                                                                                                                                                                                      MD5:23CD5BC9C9E3CFA6DF98D2177DAEC21E
                                                                                                                                                                                                                      SHA1:B648F760EBB611056CB3C4C147FE9A2C3D299F68
                                                                                                                                                                                                                      SHA-256:9CC7F66D07429154F1DEABDC405152765156812EAACDC9030165BE5FD6910D1B
                                                                                                                                                                                                                      SHA-512:FDDEE2387738F34502F86E744D0512A5FA05D7285CE35848F7F03A4D23467F6914664064B4A89BF0A6E1A2610190960FC8AA613F4DD010B5D0D34015034475E8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF06FD7600FA864362.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF1EE28CC3FA69E8B2.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):1.4285007542833643
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:gpkuQvh8FXzvT5aUdBBPqcq56Adu/CSidzKDduQkE7usWC/ViTEl5kar2Adu/CS3:gkoRToEiprf0DdfH7rWCQQ4M0
                                                                                                                                                                                                                      MD5:9B9957DB2EEF5AB47C5D6E98C1CF3FD7
                                                                                                                                                                                                                      SHA1:E691BADB6BC2EF9A477F5E4EA631277B4D80C72A
                                                                                                                                                                                                                      SHA-256:64ECF2CA444BE257364A80B479DBFE3D831F732F702397747D86A05BC59C2990
                                                                                                                                                                                                                      SHA-512:8833A24BF79A29649CA87E32E3A62E2A05C208A7D83216F917B1F4A061A7F9EE3BB9FF1F77C838D4C9BD6EB1AAD50B0AA3CC63D6F076AF27352350DA8D89545E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF1EE28CC3FA69E8B2.TMP, Author: Joe Security
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF396F1F6BCFA4F979.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):1.4285007542833643
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:gpkuQvh8FXzvT5aUdBBPqcq56Adu/CSidzKDduQkE7usWC/ViTEl5kar2Adu/CS3:gkoRToEiprf0DdfH7rWCQQ4M0
                                                                                                                                                                                                                      MD5:9B9957DB2EEF5AB47C5D6E98C1CF3FD7
                                                                                                                                                                                                                      SHA1:E691BADB6BC2EF9A477F5E4EA631277B4D80C72A
                                                                                                                                                                                                                      SHA-256:64ECF2CA444BE257364A80B479DBFE3D831F732F702397747D86A05BC59C2990
                                                                                                                                                                                                                      SHA-512:8833A24BF79A29649CA87E32E3A62E2A05C208A7D83216F917B1F4A061A7F9EE3BB9FF1F77C838D4C9BD6EB1AAD50B0AA3CC63D6F076AF27352350DA8D89545E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF396F1F6BCFA4F979.TMP, Author: Joe Security
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF6FB06F37CC3C3C50.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                      Entropy (8bit):1.8111634031164352
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:B8PhMuRc06WXzuFT5FBBPqcq56Adu/CSidzKDduQkE7usWC/ViTEl5kar2Adu/C0:chM1zFTbiprf0DdfH7rWCQQ4M0
                                                                                                                                                                                                                      MD5:17832EDE8B389C0F8AB7B75C758A3874
                                                                                                                                                                                                                      SHA1:93A76471534D1C6B043F3C3E7768344A9EE130C8
                                                                                                                                                                                                                      SHA-256:CAB9A9BC294EF82190278A673F55200C869CB258855EBD77633C13779C65D0CB
                                                                                                                                                                                                                      SHA-512:1D7DE3870200CAFDC4B00263105BB6E0C438E20324253749C227F2C7382032AEB2D5D130BE7E3313147F852DE963A8A400B306F7E41C84E1BAC4F91283CE3CBC
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF6FB06F37CC3C3C50.TMP, Author: Joe Security
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF705F767D6988847A.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                      Entropy (8bit):1.4285007542833643
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:gpkuQvh8FXzvT5aUdBBPqcq56Adu/CSidzKDduQkE7usWC/ViTEl5kar2Adu/CS3:gkoRToEiprf0DdfH7rWCQQ4M0
                                                                                                                                                                                                                      MD5:9B9957DB2EEF5AB47C5D6E98C1CF3FD7
                                                                                                                                                                                                                      SHA1:E691BADB6BC2EF9A477F5E4EA631277B4D80C72A
                                                                                                                                                                                                                      SHA-256:64ECF2CA444BE257364A80B479DBFE3D831F732F702397747D86A05BC59C2990
                                                                                                                                                                                                                      SHA-512:8833A24BF79A29649CA87E32E3A62E2A05C208A7D83216F917B1F4A061A7F9EE3BB9FF1F77C838D4C9BD6EB1AAD50B0AA3CC63D6F076AF27352350DA8D89545E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF705F767D6988847A.TMP, Author: Joe Security
                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DF729B94487D0BAA5B.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DFB297A75FE74F25C3.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\Windows\Temp\~DFC431EC00C31B1A1D.TMP

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                      Entropy (8bit):7.429536247541231
                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                      File name:SecuredOnedrive.ClientSetup.exe
                                                                                                                                                                                                                      File size:5'621'992 bytes
                                                                                                                                                                                                                      MD5:58fe579f71dbeda2fd50c1b046b5f3ef
                                                                                                                                                                                                                      SHA1:84eeee9907009151ad5efc1074fb5db27bd2977a
                                                                                                                                                                                                                      SHA256:40cafa4d9e7220f582af1ecc2a4b0ea1ab4b3b76fd83a398a0ebb50eeb5fce7d
                                                                                                                                                                                                                      SHA512:1db3a9d2d8564fa5d82f67a03b97d33f2e8cd9b92253a519d93ab786ebff9e546299b3e7a1860acbb953cc769853e8a0f075f89db5194006abe9e0bc10d021fc
                                                                                                                                                                                                                      SSDEEP:49152:HEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:QEs6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                                                                                                                                                      TLSH:7746E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                      Icon Hash:2086969696969600

                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Entrypoint:0x4014ad
                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                      Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                                                                      OS Version Minor:1
                                                                                                                                                                                                                      File Version Major:5
                                                                                                                                                                                                                      File Version Minor:1
                                                                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                                                                                                      Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                                                                      Signature Valid:true
                                                                                                                                                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                      Error Number:0
                                                                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                                                                      • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                                                                                                                                                      Subject Chain
                                                                                                                                                                                                                      • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                                                                                                                                      Version:3
                                                                                                                                                                                                                      Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                                                                                                                                      Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                                                                                                                                      Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                                                                                                                                      Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                      call 00007F6E3CB21EBAh
                                                                                                                                                                                                                      jmp 00007F6E3CB2196Fh
                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                                      push 00000000h
                                                                                                                                                                                                                      call dword ptr [0040D040h]
                                                                                                                                                                                                                      push dword ptr [ebp+08h]
                                                                                                                                                                                                                      call dword ptr [0040D03Ch]
                                                                                                                                                                                                                      push C0000409h
                                                                                                                                                                                                                      call dword ptr [0040D044h]
                                                                                                                                                                                                                      push eax
                                                                                                                                                                                                                      call dword ptr [0040D048h]
                                                                                                                                                                                                                      pop ebp
                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                                      sub esp, 00000324h
                                                                                                                                                                                                                      push 00000017h
                                                                                                                                                                                                                      call dword ptr [0040D04Ch]
                                                                                                                                                                                                                      test eax, eax
                                                                                                                                                                                                                      je 00007F6E3CB21AF7h
                                                                                                                                                                                                                      push 00000002h
                                                                                                                                                                                                                      pop ecx
                                                                                                                                                                                                                      int 29h
                                                                                                                                                                                                                      mov dword ptr [004148D8h], eax
                                                                                                                                                                                                                      mov dword ptr [004148D4h], ecx
                                                                                                                                                                                                                      mov dword ptr [004148D0h], edx
                                                                                                                                                                                                                      mov dword ptr [004148CCh], ebx
                                                                                                                                                                                                                      mov dword ptr [004148C8h], esi
                                                                                                                                                                                                                      mov dword ptr [004148C4h], edi
                                                                                                                                                                                                                      mov word ptr [004148F0h], ss
                                                                                                                                                                                                                      mov word ptr [004148E4h], cs
                                                                                                                                                                                                                      mov word ptr [004148C0h], ds
                                                                                                                                                                                                                      mov word ptr [004148BCh], es
                                                                                                                                                                                                                      mov word ptr [004148B8h], fs
                                                                                                                                                                                                                      mov word ptr [004148B4h], gs
                                                                                                                                                                                                                      pushfd
                                                                                                                                                                                                                      pop dword ptr [004148E8h]
                                                                                                                                                                                                                      mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                      mov dword ptr [004148DCh], eax
                                                                                                                                                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                      mov dword ptr [004148E0h], eax
                                                                                                                                                                                                                      lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                      mov dword ptr [004148ECh], eax
                                                                                                                                                                                                                      mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                                                                      mov dword ptr [00414828h], 00010001h

                                                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                                                                      • [IMP] VS2008 build 21022

                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x166e8
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                      .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                      .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                      .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                      FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                                                                                                                                                      FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                                                                                                                                                      FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                                                                                                                                                      FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                                                                                                                                                      FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                                                                                                                                                      RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                      mscoree.dllCorBindToRuntimeEx
                                                                                                                                                                                                                      KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                                                                                                                                                      OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.632900000 CET49839443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.632953882 CET44349839145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.634473085 CET49839443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.857834101 CET49839443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.857853889 CET44349839145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.857988119 CET44349839145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:17.956654072 CET49841443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:17.956717014 CET44349841145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:17.956876040 CET49841443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:17.959161043 CET49841443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:17.959173918 CET44349841145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:17.959208965 CET44349841145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:20.877228975 CET49844443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:20.877291918 CET44349844145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:20.877407074 CET49844443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:20.879576921 CET49844443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:20.879594088 CET44349844145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:20.879652023 CET44349844145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:25.923463106 CET49846443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:25.923512936 CET44349846145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:25.923578978 CET49846443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:25.925915956 CET49846443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:25.925931931 CET44349846145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:25.925990105 CET44349846145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:33.760689020 CET49849443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:33.760749102 CET44349849145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:33.760817051 CET49849443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:33.762948990 CET49849443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:33.762972116 CET44349849145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:33.763020992 CET44349849145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:43.807686090 CET49850443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:43.807729006 CET44349850145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:43.807809114 CET49850443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:43.810143948 CET49850443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:05:43.810156107 CET44349850145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:43.810493946 CET44349850145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.594012976 CET49853443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.594054937 CET44349853145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.594137907 CET49853443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.596493006 CET49853443192.168.2.25145.40.105.136
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.596503973 CET44349853145.40.105.136192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.596884966 CET44349853145.40.105.136192.168.2.25

                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                      Dec 30, 2024 04:03:25.247634888 CET53544161.1.1.1192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:03:26.683979034 CET53513241.1.1.1192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.560494900 CET6504653192.168.2.251.1.1.1
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.593270063 CET53650461.1.1.1192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.549009085 CET6504653192.168.2.251.1.1.1
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.582669020 CET53650461.1.1.1192.168.2.25
                                                                                                                                                                                                                      Dec 30, 2024 04:06:07.798281908 CET6504653192.168.2.251.1.1.1
                                                                                                                                                                                                                      Dec 30, 2024 04:06:10.758986950 CET6504653192.168.2.251.1.1.1
                                                                                                                                                                                                                      Dec 30, 2024 04:06:12.617500067 CET6504653192.168.2.251.1.1.1
                                                                                                                                                                                                                      Dec 30, 2024 04:06:17.668308020 CET6504653192.168.2.251.1.1.1

                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.560494900 CET192.168.2.251.1.1.10xa7e6Standard query (0)instance-cb2j07-relay.screenconnect.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.549009085 CET192.168.2.251.1.1.10x9878Standard query (0)instance-cb2j07-relay.screenconnect.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:07.798281908 CET192.168.2.251.1.1.10xd427Standard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:10.758986950 CET192.168.2.251.1.1.10x4bd2Standard query (0)res.public.onecdn.static.microsoftA (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:12.617500067 CET192.168.2.251.1.1.10xf9c8Standard query (0)tse1.mm.bing.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:17.668308020 CET192.168.2.251.1.1.10xf3d3Standard query (0)browser.events.data.msn.cnA (IP address)IN (0x0001)false

                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                      Dec 30, 2024 04:03:01.898415089 CET1.1.1.1192.168.2.250xf380No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:03:01.898415089 CET1.1.1.1192.168.2.250xf380No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.593270063 CET1.1.1.1192.168.2.250xa7e6No error (0)instance-cb2j07-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:05:15.593270063 CET1.1.1.1192.168.2.250xa7e6No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.582669020 CET1.1.1.1192.168.2.250x9878No error (0)instance-cb2j07-relay.screenconnect.comserver-nixce85832f-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:01.582669020 CET1.1.1.1192.168.2.250x9878No error (0)server-nixce85832f-relay.screenconnect.com145.40.105.136A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:07.804862022 CET1.1.1.1192.168.2.250xd427No error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:10.766838074 CET1.1.1.1192.168.2.250x4bd2No error (0)res.public.onecdn.static.microsoftres-ocdi-public.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:10.766838074 CET1.1.1.1192.168.2.250x4bd2No error (0)res-1.public.onecdn.static.microsoftres-1.public.onecdn.static.microsoft.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:12.624049902 CET1.1.1.1192.168.2.250xf9c8No error (0)tse1.mm.bing.netmm-mm.bing.net.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:12.624049902 CET1.1.1.1192.168.2.250xf9c8No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:12.624049902 CET1.1.1.1192.168.2.250xf9c8No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                                                                                                                                                                                                      Dec 30, 2024 04:06:17.674839973 CET1.1.1.1192.168.2.250xf3d3No error (0)browser.events.data.msn.cnglobal.asimov.events.data.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                      Start time:22:03:06
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\SecuredOnedrive.ClientSetup.exe"
                                                                                                                                                                                                                      Imagebase:0x880000
                                                                                                                                                                                                                      File size:5'621'992 bytes
                                                                                                                                                                                                                      MD5 hash:58FE579F71DBEDA2FD50C1B046B5F3EF
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1357121023.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1321846334.0000000000896000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                                                      Start time:22:03:07
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\f40cdcc9172e57c6\ScreenConnect.ClientSetup.msi"
                                                                                                                                                                                                                      Imagebase:0xdc0000
                                                                                                                                                                                                                      File size:145'408 bytes
                                                                                                                                                                                                                      MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                      Start time:22:03:08
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                      Imagebase:0x7ff789430000
                                                                                                                                                                                                                      File size:176'128 bytes
                                                                                                                                                                                                                      MD5 hash:C0D3BDDE74C1EC82F75681D4D5ED44C8
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                      Start time:22:03:08
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CDC695C786B87D91944C325686561171 C
                                                                                                                                                                                                                      Imagebase:0xdc0000
                                                                                                                                                                                                                      File size:145'408 bytes
                                                                                                                                                                                                                      MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                      Start time:22:03:09
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIFF23.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4981171 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                                                                                                                                                      Imagebase:0xc80000
                                                                                                                                                                                                                      File size:52'224 bytes
                                                                                                                                                                                                                      MD5 hash:A79FE1974156C5C9ED4331BF78D2DBB1
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                      Start time:22:04:01
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe" -wdenable
                                                                                                                                                                                                                      Imagebase:0x7ff61dc70000
                                                                                                                                                                                                                      File size:1'687'360 bytes
                                                                                                                                                                                                                      MD5 hash:7C8CFF40C38AB2F6B04DD3B02300FFE5
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                      Start time:22:04:01
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                      Imagebase:0x7ff7c7360000
                                                                                                                                                                                                                      File size:1'040'384 bytes
                                                                                                                                                                                                                      MD5 hash:9698384842DA735D80D278A427A229AB
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:33
                                                                                                                                                                                                                      Start time:22:05:12
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6335C8719D19856AFEB05288D3114137
                                                                                                                                                                                                                      Imagebase:0xdc0000
                                                                                                                                                                                                                      File size:145'408 bytes
                                                                                                                                                                                                                      MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:34
                                                                                                                                                                                                                      Start time:22:05:13
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B464B350F906B2FB2D672B4A7BCB970B E Global\MSI0000
                                                                                                                                                                                                                      Imagebase:0xdc0000
                                                                                                                                                                                                                      File size:145'408 bytes
                                                                                                                                                                                                                      MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:35
                                                                                                                                                                                                                      Start time:22:05:13
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-cb2j07-relay.screenconnect.com&p=443&s=e985b3b5-2d48-4579-950f-7cf7cea64711&k=BgIAAACkAABSU0ExAAgAAAEAAQDx5HiHFBQ7XNz7ziur93mhZa2t4COlT7TxcNJFoUvIKNBIZWL%2bRlNG8E7lNMYJ3fS%2fRdLVLBfU11XNjfh1NfSqr%2fz7wGKLgi9m0NmzD1z9aU%2fKKpmPtn190fOX94X6G%2bSsVcnAZZN2LRBb3Le5VMWL7b9cVxu3OYSkV%2fHB4LRaZqRxPu%2bK%2b6yae74%2f2GCRHELmUoJ7vQvtiYA8Y63dRIaL69U%2bPybFGOPFp4%2baIfprp4ZOKdJUcwGIf2n%2f0Km%2f2NCoazOh6moRsPbR3Sp04G%2bIAR7xFLzbI2Y%2b6XuVa8qUe%2baQUZNPu0QNkpIVt86Mq%2bZ9IP8m9iKPTevRX2MxRpjM"
                                                                                                                                                                                                                      Imagebase:0x660000
                                                                                                                                                                                                                      File size:95'512 bytes
                                                                                                                                                                                                                      MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:36
                                                                                                                                                                                                                      Start time:22:05:14
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe" "RunRole" "edc17081-6a59-4efc-9fc6-c2cfd9657873" "User"
                                                                                                                                                                                                                      Imagebase:0x3c0000
                                                                                                                                                                                                                      File size:602'392 bytes
                                                                                                                                                                                                                      MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000024.00000000.2597466186.00000000003C2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000024.00000002.3189241821.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (f40cdcc9172e57c6)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Target ID:38
                                                                                                                                                                                                                      Start time:22:05:16
                                                                                                                                                                                                                      Start date:29/12/2024
                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                      Imagebase:0x7ff7b1130000
                                                                                                                                                                                                                      File size:79'920 bytes
                                                                                                                                                                                                                      MD5 hash:8EC922C7A58A8701AB481B7BE9644536
                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 01867A30 Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: #!$K6$7
                                                                                                                                                                                                                        • API String ID: 0-185628103
                                                                                                                                                                                                                        • Opcode ID: 131e5efa80342e6e47479124742e17779209a892ca045ae449dc970c1b3c4af2
                                                                                                                                                                                                                        • Instruction ID: 135a4b165652c24743a25d4644baeee96bdc61280ce93b4dd29c9e279d8c8307
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 131e5efa80342e6e47479124742e17779209a892ca045ae449dc970c1b3c4af2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6051C3307112028BC721AB3CAC9856E77EBFBC4614701C62ED606CB384EFB49E458BE0
                                                                                                                                                                                                                        Function 01867A40 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: #!$K6$7
                                                                                                                                                                                                                        • API String ID: 0-185628103
                                                                                                                                                                                                                        • Opcode ID: 2879796544bb145942c6b0c80b4db0b6c9ccfaed865b270167c91d17bf861744
                                                                                                                                                                                                                        • Instruction ID: 621008601bd98e21a253c1b25df6c2bc7e22de4aa4787f0cbe75eb12b18d823a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2879796544bb145942c6b0c80b4db0b6c9ccfaed865b270167c91d17bf861744
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B251A5307112425BC725AB3CAC9856E77E7FBC4614345C62ED606CB385EFB49E458BE0
                                                                                                                                                                                                                        Function 018641DF Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: +p^
                                                                                                                                                                                                                        • API String ID: 0-1567466223
                                                                                                                                                                                                                        • Opcode ID: 5b1329e4e6be3b68dbf2c8f6c6741d3d93edcb456007c0493ebc3d19c36c2371
                                                                                                                                                                                                                        • Instruction ID: 39897173b1e065a59083b35fe55a3170fe8558ead6ff823ef7b3f14001ea5d9a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b1329e4e6be3b68dbf2c8f6c6741d3d93edcb456007c0493ebc3d19c36c2371
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DAA13C34B002059FCB15DF69E998AAEBBE7FB88300B208529E516DB395DF70DD06CB50
                                                                                                                                                                                                                        Function 018641F0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: +p^
                                                                                                                                                                                                                        • API String ID: 0-1567466223
                                                                                                                                                                                                                        • Opcode ID: af7065756ff83264fb0af2d6211de4cc7fb3c3fd074375e730e1f39244ab6ad9
                                                                                                                                                                                                                        • Instruction ID: d987f5141da45d54366e6a71b5e13bd373c4e9ee653dacb8d0de3252728a9a36
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af7065756ff83264fb0af2d6211de4cc7fb3c3fd074375e730e1f39244ab6ad9
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23913C34B002059FCB15DF69E998AAEBBE7FB88300B208529E516DB395DF70DD06CB50
                                                                                                                                                                                                                        Function 01864CA8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: -"q
                                                                                                                                                                                                                        • API String ID: 0-2608517967
                                                                                                                                                                                                                        • Opcode ID: b6a17db4e624e42ff2e861b205208094aa738879a4a5f523ed5359fec95f98ce
                                                                                                                                                                                                                        • Instruction ID: 434bb5322555d4f3378e37f19a2f45138615986b706df90927315cfa780514b4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6a17db4e624e42ff2e861b205208094aa738879a4a5f523ed5359fec95f98ce
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64315E30F1020A8FDB259F69C5A87AEBBFAAF89314F104469D506EB744DB70DD058B90
                                                                                                                                                                                                                        Function 0186B9B0 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: [op^
                                                                                                                                                                                                                        • API String ID: 0-2797769974
                                                                                                                                                                                                                        • Opcode ID: 37e58d6ddfbf4d975a3bceda00d60debd17b3f7059d69c88c24ebba99f2f816b
                                                                                                                                                                                                                        • Instruction ID: 7bb283cfc6d3569bf09382f12bbb06d21a25e4014df942813ef761a129d9f322
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37e58d6ddfbf4d975a3bceda00d60debd17b3f7059d69c88c24ebba99f2f816b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F73126317012024BC711BB7DACA469E77EBEBC0714B44852FC60ACB381EEB49E0683E1
                                                                                                                                                                                                                        Function 0186B9E8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: [op^
                                                                                                                                                                                                                        • API String ID: 0-2797769974
                                                                                                                                                                                                                        • Opcode ID: 740f729881d7ef027b6a4ab6f878c595c730df8223c07580e84fa72b962d0dce
                                                                                                                                                                                                                        • Instruction ID: a88520a4b69632b382ea188443cdea15b8c97e435c24a8267b25272f6412abef
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 740f729881d7ef027b6a4ab6f878c595c730df8223c07580e84fa72b962d0dce
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3921B0317002034B8614B77DAC9496EB7EBEBC4B55345CA2FC20ACB384EEB49E0587E1
                                                                                                                                                                                                                        Function 01860839 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 0-1051994633
                                                                                                                                                                                                                        • Opcode ID: d5de4aa1d1774c59a9b010d23fadeb84fdf613ea92fe1bf0a9860720e2ec6f48
                                                                                                                                                                                                                        • Instruction ID: 61344dcbda45ded2a3cd06d5a117286d7d7860978a3bf6ea5e6dfcc5261f1e59
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d5de4aa1d1774c59a9b010d23fadeb84fdf613ea92fe1bf0a9860720e2ec6f48
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E210A74E0020A9FCB44DFA8D454AAEBBB2FF89300F11846AD415E7365DB35AA05CF55
                                                                                                                                                                                                                        Function 01860848 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 0-1051994633
                                                                                                                                                                                                                        • Opcode ID: 5efa34d4ba94322f2864c100fe4f44d83e53d4decbbdc621061ad3a076dfa4c4
                                                                                                                                                                                                                        • Instruction ID: d4b05dc9587d51ea3c5ef7bbcc0b5a48f0ed5b82fa7d3a6e9d56703e4a397f85
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5efa34d4ba94322f2864c100fe4f44d83e53d4decbbdc621061ad3a076dfa4c4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E112AB4E0020A9FCB44DFA9D544AAEFBB5FF88300F10846AD915E7354DB34AA01CF95
                                                                                                                                                                                                                        Function 01867D39 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: cU
                                                                                                                                                                                                                        • API String ID: 0-2984249731
                                                                                                                                                                                                                        • Opcode ID: 17f52f1af11f52a48c8bd6b13fba60d2c439829a6bcea67017843f786fef024d
                                                                                                                                                                                                                        • Instruction ID: c3f9acaadda16a6382b8a14d8c023e37bdb0cff786162fa2ed5eced2d064bb41
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17f52f1af11f52a48c8bd6b13fba60d2c439829a6bcea67017843f786fef024d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60016D317006165FEB20965DEC44A6AB7EFEB947A8F10843BE605C7355EE70AD018BE4
                                                                                                                                                                                                                        Function 01867D48 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: cU
                                                                                                                                                                                                                        • API String ID: 0-2984249731
                                                                                                                                                                                                                        • Opcode ID: f5c8565642958c4bab0b5a587209d858249e98edff52f1992cc439796298868e
                                                                                                                                                                                                                        • Instruction ID: a4ea960e265ce32590878182d7623c704a474942e2bed70f3bfa935d71632e03
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5c8565642958c4bab0b5a587209d858249e98edff52f1992cc439796298868e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56F044317006065FE724965DEC4496BB7EFEB84758B00843FE615C7345EE709D008BE4
                                                                                                                                                                                                                        Function 0186DC68 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 3922e96994cb406b5899c1bc9b60648ab8e3670d265ae179b9e0da2f6bc693c7
                                                                                                                                                                                                                        • Instruction ID: f46ae99af3d8fd5ebe0bf017499b8a5553ede643b5530b8ef2c13ec64328b96d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3922e96994cb406b5899c1bc9b60648ab8e3670d265ae179b9e0da2f6bc693c7
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFD11835A0020ADFCF01CF98C9808AEBBB6FF59314B24855AE945EB361D731ED15CB91
                                                                                                                                                                                                                        Function 01865EE0 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: d44d2759facf41fb30e22bf31389638d9631faf54be8408dc2dd31536c43e3e9
                                                                                                                                                                                                                        • Instruction ID: 1c2e34a9ff799935d7714c7636a138bfd75e905639380231579517d4ecb99bf7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d44d2759facf41fb30e22bf31389638d9631faf54be8408dc2dd31536c43e3e9
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9915D30B012198BCB15DF6CD84459EBBF6FB84310B14856AE915EF395EB70AE06CF90
                                                                                                                                                                                                                        Function 01866E68 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a4796ca00d9a6bd9d8ee230c6d0b4f21dce7c459d684b019ce4143f96f343af5
                                                                                                                                                                                                                        • Instruction ID: 92641be5847bea48dfd9c9d695617b13db03c62f94bf9aeb63c479b06ba99326
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4796ca00d9a6bd9d8ee230c6d0b4f21dce7c459d684b019ce4143f96f343af5
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF618031A002058FCB05DF69D8844AEFBF6FF89310768856EE50AEB355DA71ED05CBA1
                                                                                                                                                                                                                        Function 01868A98 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 832b4f66e3fe5382e2c697fbc90ed4b9ccba6b75374dfc28ab6b471e1831c316
                                                                                                                                                                                                                        • Instruction ID: 6b1d95ff887a102715c4df5113456f87d67008e3f8a504d9359f45a6f8092442
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 832b4f66e3fe5382e2c697fbc90ed4b9ccba6b75374dfc28ab6b471e1831c316
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3861E534B1160A8FCB15DF68D5989AEB7F6FF89304B118099E90ADB365DB30ED01DB80
                                                                                                                                                                                                                        Function 018664C3 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8f13312c7f058c793e38a94e3e571b3b198527f193f5fcbcc65a9abc97bd3506
                                                                                                                                                                                                                        • Instruction ID: ed34a1f882b7affddd35ee97aa3447639e8781f52f0cb7a4b9d9efed0c1465d6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f13312c7f058c793e38a94e3e571b3b198527f193f5fcbcc65a9abc97bd3506
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90512C75E106158FCB04CFA9C88499DB7F6FF89700B2541AAE505EF361DBB1AD05CB50
                                                                                                                                                                                                                        Function 0186D540 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a4238e62636e52fb1ae8169b6d9af93e7c1ae5e5280a34db2107663db5462d66
                                                                                                                                                                                                                        • Instruction ID: ed22774796d0ef331c4806302377827148fc3a1c049e4f0eaf03ed0a44c5d0de
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4238e62636e52fb1ae8169b6d9af93e7c1ae5e5280a34db2107663db5462d66
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C41B33470014A8BCF159FADD558AAEBBA6FF88314F14852AE949DB344DF34DE018BD1
                                                                                                                                                                                                                        Function 01868DA8 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: bc967759a398007c1fcedecdb8832a1465fc73523566aa71d174f10f8abe11c2
                                                                                                                                                                                                                        • Instruction ID: 11724a2c24d72596f259b2c6f7a9c1534641723cc3fd036d85c9481dd44850ca
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc967759a398007c1fcedecdb8832a1465fc73523566aa71d174f10f8abe11c2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70510F306002058FDB18DF29D8D8A567BB6FF8A325B048598E919DF3A9DB30DD12CF91
                                                                                                                                                                                                                        Function 0186DAD8 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 808f9ae3927c398a28a5e7e7757a786f6b0014a4b635f492408ba909f009283e
                                                                                                                                                                                                                        • Instruction ID: 604965895a6242958628f5cb40945ebd720f5531eef1b9e96ab4c1819b549a02
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 808f9ae3927c398a28a5e7e7757a786f6b0014a4b635f492408ba909f009283e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D41F5747002099F9B04DF99C984A6A7BFAFB8C304B248159E945DB359DB31DE028B91
                                                                                                                                                                                                                        Function 0186E5E8 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b0130fc49f1d71bdc2d9dae140b48991f68a5d23081a04adb85df909fefb8dad
                                                                                                                                                                                                                        • Instruction ID: 3be908eff88d73f84b23960eedef5fe4d36ebb86394f82e6c97794377acfd8d1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0130fc49f1d71bdc2d9dae140b48991f68a5d23081a04adb85df909fefb8dad
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09413B746001058FCB18DF29D498A5A7BB6FF89325B048199D812DF3E9DB30DE52CF91
                                                                                                                                                                                                                        Function 01860A10 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e6e0ca5adf8f1886869225219af07e2be57acd1806c175097c70343646fc6275
                                                                                                                                                                                                                        • Instruction ID: b4ec694e203b3c20ef9927304e7ef4974ac93627cabf03581a8afc96d28c97a9
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6e0ca5adf8f1886869225219af07e2be57acd1806c175097c70343646fc6275
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54416074E012199FDB18DFAAD944AAEBBF6BF88300F14912AE814B7354DB349941CF54
                                                                                                                                                                                                                        Function 0186A570 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8355bbc0456a5d0482bcff8dc1e2ab58a4980b81b2dd2d94eca428cf5a530481
                                                                                                                                                                                                                        • Instruction ID: 4b001567bcdaca956dd90adbd4963d23866f698ee6ce67c8d0914e0946f17f02
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8355bbc0456a5d0482bcff8dc1e2ab58a4980b81b2dd2d94eca428cf5a530481
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C531ED31E1410A8FDB11EBE8D9549DEBFB2FF89300F11846AD206AB354DA345E16DBA1
                                                                                                                                                                                                                        Function 0186E7D0 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8d4038665d1f3d8d44aa6925e9702955e2cd4a651fc91b06f7c6329c07df29e4
                                                                                                                                                                                                                        • Instruction ID: eec742790e241887cbbe6d3947fc38f76729b848dcb3e7c38e067578860a238b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d4038665d1f3d8d44aa6925e9702955e2cd4a651fc91b06f7c6329c07df29e4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD310B346007058FD734CF2AC44495ABBF6FF89324B148A6DD5929B7A1DB31EA46CF90
                                                                                                                                                                                                                        Function 01869140 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 7d5444e6136b0a95dad7371c15857d2e77afb8ea764714ad444b17de8eafa166
                                                                                                                                                                                                                        • Instruction ID: 2ab93e6ac99ea9384daeea5fcd28c0c6778fd6bd04edb38593a6299579c145c3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d5444e6136b0a95dad7371c15857d2e77afb8ea764714ad444b17de8eafa166
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E310C70A007068FC734DF2AC84865AB7F6FF89314B148A1DD566DB7A5D730EA06CB90
                                                                                                                                                                                                                        Function 0186897F Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 4243d98af0c2f471558835e568f44e935d0d33d183e041124cb9f41603c6343c
                                                                                                                                                                                                                        • Instruction ID: 767a0e23b044e4b1ac7ef30139b4deb7a9aee4929b22b34c8e3a36cdc17289d0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4243d98af0c2f471558835e568f44e935d0d33d183e041124cb9f41603c6343c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60318131B003414BCB11EF7DD89569EBBF6EF8922070485AAD949CB346EA30DD09C7A1
                                                                                                                                                                                                                        Function 01868FC0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a8c8abb92d919b55b8972a60e2b5c7b31a0a910ddaa7c0652037e96672ce8370
                                                                                                                                                                                                                        • Instruction ID: 8c812cbbd570a839e4438e73e240bd4e01ffb95acc463d6da76dd98e2ab2c19f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a8c8abb92d919b55b8972a60e2b5c7b31a0a910ddaa7c0652037e96672ce8370
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9310970A006058FC730DF2AC84866AB7F6EF89324B148A1DD596DB7A1D731EA46CF91
                                                                                                                                                                                                                        Function 0186A5A0 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b2db030f47d45509c0b7ee64716e09406d0e9ad24d7c114255e89c003350a6c8
                                                                                                                                                                                                                        • Instruction ID: f93efa3d0397f4fe57b9798a2b220a0e32aff10e1d31e6d95baa20e07fc82cc8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b2db030f47d45509c0b7ee64716e09406d0e9ad24d7c114255e89c003350a6c8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D831BA31E1410E8FDB15EBE8D9549DEBBB3FF89300F10842AD216AB354DA345A16DBA1
                                                                                                                                                                                                                        Function 018692B8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b51b7eaab770e64263a5f61b819cd8ebf599d6d8c322f1febbf0ac09f9687373
                                                                                                                                                                                                                        • Instruction ID: 75386a931503b561ec84d6b20039236fa547c6e21362bb078b644b9ec543f2b4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b51b7eaab770e64263a5f61b819cd8ebf599d6d8c322f1febbf0ac09f9687373
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E215C30A057058FD734DF2DDA4466ABBFAAF88324B046A2DD566CB2D4D730EA05CB90
                                                                                                                                                                                                                        Function 01860A00 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: ff6e915b92b18904da000babf6538d4f30ca2c22cc3be33a1abe84349fe39ba2
                                                                                                                                                                                                                        • Instruction ID: 26e958bdb853e5eb1bac4e36200a7706362d7675b997cb027a201f2a306b7dde
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff6e915b92b18904da000babf6538d4f30ca2c22cc3be33a1abe84349fe39ba2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 992137B0E042598FDB19CFAAC8446DEBFF6AF89350F14C16AE404B7261DB345A05CF54
                                                                                                                                                                                                                        Function 018653C8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 0e2cb11837535b89d82a224409da9898d0f41e7d0bbf155840882d37b8f84942
                                                                                                                                                                                                                        • Instruction ID: da3c4d3df98b7f5fd4cbc47e6135a7e1080e76d80ff795ce470feafb20e92917
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e2cb11837535b89d82a224409da9898d0f41e7d0bbf155840882d37b8f84942
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D521A170600105CBCF28CF2CD8C599A7F79EF48361B0481A9D9159B2D9EB30D956CBA0
                                                                                                                                                                                                                        Function 01864E70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: c51885a366f3d9b5b37abcf3c3cceaa53edecddeb216a4c24048c3de2cad423a
                                                                                                                                                                                                                        • Instruction ID: c4eb562abdc736ae017278df67a124a87d02a67bfa35472886af521e5ec9d913
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c51885a366f3d9b5b37abcf3c3cceaa53edecddeb216a4c24048c3de2cad423a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7213E306007058FD734CF69D94899ABBFAEF44320B008A6DE553976E1DB31EA4ACF90
                                                                                                                                                                                                                        Function 0186D078 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: df53d82b483a8cc110f6da48522b6216eec6c44dc3b0b40a3abd62562d73b57c
                                                                                                                                                                                                                        • Instruction ID: a5298b93ff8592cd5db3c1f9546028b01f265c12e5994dadf4afc7b914b5fff6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df53d82b483a8cc110f6da48522b6216eec6c44dc3b0b40a3abd62562d73b57c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 581190793006058FCB15DBACD895A6AB7EBFFCC310B14856AE59ACB701DB32DD028B51
                                                                                                                                                                                                                        Function 018689D0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: d95614483c1ea57d9cf7fb5c6c8504f88ba8d9dca9cc1a3a38d67c93eb47b23f
                                                                                                                                                                                                                        • Instruction ID: 015c9e9b30bf0dcccb0a3d3f1f35628d2ec1247d0db620b8504faa0f3e54a365
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d95614483c1ea57d9cf7fb5c6c8504f88ba8d9dca9cc1a3a38d67c93eb47b23f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30111934B002018B8B55EF6DD59899EFBE7EF89260744856AE809DF345EA30ED05CBA1
                                                                                                                                                                                                                        Function 0186D088 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 56d3d7ecc2d94ea3fbfaf05c9c83e22993c7fe8a4ee44e3f375dc51a6b6a832d
                                                                                                                                                                                                                        • Instruction ID: bda769b31a52c9651a9d5420ce3125b7c31e865fcd2f178c3d9dcbb9a71f812a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 56d3d7ecc2d94ea3fbfaf05c9c83e22993c7fe8a4ee44e3f375dc51a6b6a832d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84116D393006058FCB15DB9DD884E6AB7EBFBCD310B24852AE58ACB340DB32ED018B51
                                                                                                                                                                                                                        Function 0186D530 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: de5add0399c59d12369fc8fa4c1a5863bc495881d55aac64349dbbaead76d396
                                                                                                                                                                                                                        • Instruction ID: 660336cc379a1085af572fe2b9292aa07836a21d7c12d008a5952f2ea8734b19
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de5add0399c59d12369fc8fa4c1a5863bc495881d55aac64349dbbaead76d396
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D115E317002469BCB15DF9DC988F9FBBA9EF84324F04862AED58C7200DB30DA508BA1
                                                                                                                                                                                                                        Function 0177D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335236344.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_177d000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 39120a54b32282b7d9d55b60b3dc6dba4c7e03490d43b39dd30d7e2ca3a26384
                                                                                                                                                                                                                        • Instruction ID: ab9c553291f8114c4bf59676782ac073b0052e6182ef3c368d7682441c1e735e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39120a54b32282b7d9d55b60b3dc6dba4c7e03490d43b39dd30d7e2ca3a26384
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 900126315053409AEF324EA9C8C4B67FFD8EF813A4F0CC06AED450B283C2B99841C6B1
                                                                                                                                                                                                                        Function 0186FB13 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 51be64e08bd75dfee2609976ac59116bf8e730a76f15ca4d1944b17abf47b443
                                                                                                                                                                                                                        • Instruction ID: 9a2f95911e1605b6ed8cdddc893e9f8c3ea05a16a1c3655a7b54fd3b59307636
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51be64e08bd75dfee2609976ac59116bf8e730a76f15ca4d1944b17abf47b443
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98F096327011056BD314DA5ADC95E6BFBDBEFC9660F54802EE909C7341DD719C0283A4
                                                                                                                                                                                                                        Function 018618C8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a235513cc4b8e7c0a4c79a16fbe0bf57a011efd426f281988416cbe0bfafe83a
                                                                                                                                                                                                                        • Instruction ID: 778c534f4514017ce0b4b88975816804fef6f7c529abacbb1b970addfdb26b41
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a235513cc4b8e7c0a4c79a16fbe0bf57a011efd426f281988416cbe0bfafe83a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86F022343002414FC7239B3EB42848DFBAAFBC6622305857ED54ACBA43DE249E4087E5
                                                                                                                                                                                                                        Function 0186FB20 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 4fae2f828c8328b5a3e250ace33eb0e7ce1e048eaa1128db75864b3a3e3883ce
                                                                                                                                                                                                                        • Instruction ID: 36f6aed503905a16f35dada5c79d26feb73586f7601c58ce61f6789e5fd7c8cb
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4fae2f828c8328b5a3e250ace33eb0e7ce1e048eaa1128db75864b3a3e3883ce
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DF05E317002156BC314EA9AA894DABBBDBEBC8660B55802EE90987345CD719C0287A0
                                                                                                                                                                                                                        Function 0177D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335236344.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_177d000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 34e90939fdba9b3b8849ff6a9795bf0df83e6fdc5209c33bff61d091be3dbcd3
                                                                                                                                                                                                                        • Instruction ID: f709a8a4e5274f2d811b47a6dd3f36eebb21a18e347011945db7ac9ed0cdbb5b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34e90939fdba9b3b8849ff6a9795bf0df83e6fdc5209c33bff61d091be3dbcd3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5BF0C271404244AEEB218E1AC884B63FFD8EF81674F18C06AED484B283C2B99841CAB1
                                                                                                                                                                                                                        Function 01865960 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1ebe785e8f1539716de69b6be8efd77399f8a64bcec498d6edf1dd8b9a547f2d
                                                                                                                                                                                                                        • Instruction ID: 8e665e3dfc68fc4a113a926e43f55d2a1040fa02f3d127409480d9e7d011b21e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ebe785e8f1539716de69b6be8efd77399f8a64bcec498d6edf1dd8b9a547f2d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5EF0EC92C0E3DA8FE70383285C606603F79CA23298B0A41C7D488DF2B3E1089E19D772
                                                                                                                                                                                                                        Function 01866360 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 9bb6a76bced960135054733592c74222cf56f1c009247e4d0597040fd77fed15
                                                                                                                                                                                                                        • Instruction ID: 4cf9c60eed08a05dca3fe826ae36993869b815fbdf8d89a850b958bd067ccb54
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bb6a76bced960135054733592c74222cf56f1c009247e4d0597040fd77fed15
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEF06D32E5070696DB11EFA8D8003C8F3B1EF95310F318242E6087B280EBB5BAD5CB94
                                                                                                                                                                                                                        Function 018618D8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 531c71c982cb7c2415b4b49c44d129426636a1979f61ac28379f5d280bfeb326
                                                                                                                                                                                                                        • Instruction ID: 4823aa289b83ed4a02417427f1bf00f6608d113dd3bcd4c4d6a320e02fa8e2dc
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 531c71c982cb7c2415b4b49c44d129426636a1979f61ac28379f5d280bfeb326
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1EF0A7353002014B8726EB7DF40849EB7DBFBC5722340853DD546C7745EF649E408BA5
                                                                                                                                                                                                                        Function 0186BEB3 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 4cd97e87cd848f444af111609b35d0432a3c00f3ca733323b2c98d94d9b6258a
                                                                                                                                                                                                                        • Instruction ID: f19f72287828c078d5bc0c53b43600610e84a8056805be413dc3b404387716cf
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cd97e87cd848f444af111609b35d0432a3c00f3ca733323b2c98d94d9b6258a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19F06270E0020ADFDB64DF6DC84566EBFF4AB04324F204A59E510D3391D77086418F90
                                                                                                                                                                                                                        Function 0186BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 39381d450bdd8fd439bbc1f070ec66b9f3e8ba607c33e0132f0b34f800d59a0a
                                                                                                                                                                                                                        • Instruction ID: 396d1d0ceebc941d95b2f88e4ffb0b16f41d789e385b9a3768339867d3164056
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39381d450bdd8fd439bbc1f070ec66b9f3e8ba607c33e0132f0b34f800d59a0a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35F03070E0020ADFDB64DFADC84566EBBF8AB04324F204659E524D73A1D77186418F91
                                                                                                                                                                                                                        Function 0186BF2B Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 2410333f25603b76d6fb87ae14cc1462c16be5535dd9885cc2bce4e84c64c0c2
                                                                                                                                                                                                                        • Instruction ID: 93028633175a14ea6ec46e8b595ab0463d6dc487ba0d5dedea33b904f83062d4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2410333f25603b76d6fb87ae14cc1462c16be5535dd9885cc2bce4e84c64c0c2
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2FF05E70D0020A9FCB40DF7CC945A6EBFF4AB04324F504A6AE114E73A1D7718640CF91
                                                                                                                                                                                                                        Function 0186BF38 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 2d57e5b38de38507d4d6b34b310b0913d05a441fcf140f35f08f52f124a5b750
                                                                                                                                                                                                                        • Instruction ID: ebf25380823006d0c1b2b7a262e7f41cc917bd527f22c89a8861138bbedffcc0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d57e5b38de38507d4d6b34b310b0913d05a441fcf140f35f08f52f124a5b750
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 21F0F870E0020A9FCB50DFACD545AAEBFF8AB08318F1046AAE518E72A1D77586448FD1
                                                                                                                                                                                                                        Function 018618E0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 6658ca265624e8146163be5789ab4ed3b4c0cfdf3d8ee2477d544088a525eb3e
                                                                                                                                                                                                                        • Instruction ID: 06dda640fd17ec1ead70d48b52bbb07f3038e3bd7e7017cd4ce5c4caeefdfcbf
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6658ca265624e8146163be5789ab4ed3b4c0cfdf3d8ee2477d544088a525eb3e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0E0E5313002008BC722AF78B40809D7BA3FBC1722355856EC14ACB64ADF689A458B95
                                                                                                                                                                                                                        Function 0186D708 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 207884881b1e721bd874192b3b5e9692132de135a488bace53934fb00fd1364f
                                                                                                                                                                                                                        • Instruction ID: e3ac9bda4386d796b8b0dec2a9609757b439ce473578210d7f62cd74066575a2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 207884881b1e721bd874192b3b5e9692132de135a488bace53934fb00fd1364f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7E0ED74E0520DAFCB04DFACD48669DBFB5EF48314F4085AAD845AB350EA345A448F85
                                                                                                                                                                                                                        Function 01860E73 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 044e15a0c51c54c8f2e5b349ad7e7bbce74febc95f86a6218bc95dc2be51e862
                                                                                                                                                                                                                        • Instruction ID: 723c5b518b60cdece3b8e557f567aeb9f645f6dd17aa050f4996d176dcb87e05
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 044e15a0c51c54c8f2e5b349ad7e7bbce74febc95f86a6218bc95dc2be51e862
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FE08674A00219EBCB01DFB8D90979CB7BAEB84210F5040A9E509D7300DAB15F40AB54
                                                                                                                                                                                                                        Function 01865911 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 2378dc48d6f88e9a42e070852ed4ccc0cd4e85a3d703ffcf3f85ab2ce422bd37
                                                                                                                                                                                                                        • Instruction ID: baf0cf6bc22d4b5f89d15cda3de6e8be01387ab5eb4ebc716e1e2fc05e368afd
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2378dc48d6f88e9a42e070852ed4ccc0cd4e85a3d703ffcf3f85ab2ce422bd37
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57E04F31A12259AFCB00DBA8D94569DBFB6EB46214B0045EAE50993251EA311E009B65
                                                                                                                                                                                                                        Function 0186D718 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 70eb214671268740745253f3cc1d45bc4c6894290405f2e1f4136137a9ad5a13
                                                                                                                                                                                                                        • Instruction ID: 1bdeab9b288e2a679040b94ac0905f333d3b7dcfd707b427932efbb49c50048a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70eb214671268740745253f3cc1d45bc4c6894290405f2e1f4136137a9ad5a13
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABE0B674E0520CAFCB48EFACD58549DBFF6EF88300F0085AE9809E7350EA345A448F85
                                                                                                                                                                                                                        Function 01860E80 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 0049d3f209849283587720e48e8b9d93cf5e35d55261bb3de4228d74b84296cc
                                                                                                                                                                                                                        • Instruction ID: e9ad5637e216fb7f5de1fc8b3efcc725e4b0515573f712f82887560d12a8ee4f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0049d3f209849283587720e48e8b9d93cf5e35d55261bb3de4228d74b84296cc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04D01230A01209EB8B00DFA8D90559DB7F6EB84210B1081A9D509D7200EA711F409754
                                                                                                                                                                                                                        Function 01865920 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a206300567410e23f3d16cb0c44853213325f74446e9b48169a11aa4c7c03abf
                                                                                                                                                                                                                        • Instruction ID: 1b5ded6575ef420a31c1e0cd6dd4e2592efc80c5d216fe91ef92d85732f3c372
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a206300567410e23f3d16cb0c44853213325f74446e9b48169a11aa4c7c03abf
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8AD05B30A0120DEFCB00DFACD94559DBBFAEB45214B1041EDE509D3350EA311F009765
                                                                                                                                                                                                                        Function 0186BF8F Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1f55785e412b33020dc649f11ba75b6b38e19100b46393205bc8908d5c7a8d15
                                                                                                                                                                                                                        • Instruction ID: dee61b045f8666e0bd794d75a57ab264d004020828ee2fb78b95bdae5e492b8e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f55785e412b33020dc649f11ba75b6b38e19100b46393205bc8908d5c7a8d15
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5DD02B3021030183DE205F7C58043163B99BB41338F3043189961863D5EB21C90386D0
                                                                                                                                                                                                                        Function 018619E0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1ba03a2d2df04290c2d67227acedc42c123e763e39ec9f6ba0daae55db99c4c4
                                                                                                                                                                                                                        • Instruction ID: f0a46ac6b93d0be8d5118d7001f34922313f42a626e15e530a0aad30ccb575c3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ba03a2d2df04290c2d67227acedc42c123e763e39ec9f6ba0daae55db99c4c4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04C002B661000067CB08EE30DD65B53B756EB96209F38CDA9B405CB395DA2AED038650
                                                                                                                                                                                                                        Function 0186BFA0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 49a1ca43f662edf528c53ac639e6cdd2bd45a1f9f1fc474b10724c15bcda7871
                                                                                                                                                                                                                        • Instruction ID: f14512ab3a9d2234e1e55eb045d51ca3e3cb20c8a8b13d6f43b5f45ef876abc1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49a1ca43f662edf528c53ac639e6cdd2bd45a1f9f1fc474b10724c15bcda7871
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01C01270614305878E249F79540852A3B9E7B443287304758A5258B3D5DB72D9034AE1
                                                                                                                                                                                                                        Function 01869D98 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a5ff068015505ca92341a0a1add8cad2c37fcae7b136d15e5b80f42e30e993e4
                                                                                                                                                                                                                        • Instruction ID: f08b3e681a4dcb2f96898ac9d7b05ba9dc8de4cae406d4c20b0a77539fa884a9
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5ff068015505ca92341a0a1add8cad2c37fcae7b136d15e5b80f42e30e993e4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14C012316593884FC30177ECFC1AD413F69E901214344409BEA484E2A2AD645554C355
                                                                                                                                                                                                                        Function 01869D70 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e093b27c20e7b2dfaa7498467276d3ed4eb224643d792c5f53e61ceb6ba9526d
                                                                                                                                                                                                                        • Instruction ID: 17c13621d2c7c1dc7ca79d2cbe1773b4057695b437445800dbb117ca3a874b7b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e093b27c20e7b2dfaa7498467276d3ed4eb224643d792c5f53e61ceb6ba9526d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9C08CA0A012028BCF22B788ADA9B963B72FB82321F58C49BC055DB213CB5888D58651
                                                                                                                                                                                                                        Function 0186D6F0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b836a17bd4dff2ee1e4443884c961dae336de3f739c3ae17b9167bbe6688e0f3
                                                                                                                                                                                                                        • Instruction ID: 9542af6a3ad074d05db303642142ace08938bdb0898e4ccb1fb489d71a090933
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b836a17bd4dff2ee1e4443884c961dae336de3f739c3ae17b9167bbe6688e0f3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31B0927490530CAF8714DA9D9A4181ABBACDA4A250B8001D9E9088B320D932AD105AD1
                                                                                                                                                                                                                        Function 01869DA8 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000000.00000002.1335616681.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_1860000_SecuredOnedrive.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: c52933e8e6f722f1fe5b92fc67acdc9b5181a04c379727a740b8aa7371761ee9
                                                                                                                                                                                                                        • Instruction ID: ef6140c4f672adf4c3144b6bfb2bf41e4ccd858a10796f57fa0575e665bf4784
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c52933e8e6f722f1fe5b92fc67acdc9b5181a04c379727a740b8aa7371761ee9
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25B0123065120D4BC600B76CF80DE443B5FF540218380441AB30D097516DA429904699

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 080380C8 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                        • Opcode ID: c746c12287011dfbcf91272d522b7c2da3a84a896d226bea509c27110c43afed
                                                                                                                                                                                                                        • Instruction ID: d879c2d13318a3bcb43afdaaa3e17653605711cdf2cb3845a2165e1bf76a6b28
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c746c12287011dfbcf91272d522b7c2da3a84a896d226bea509c27110c43afed
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40C14D75A00619CFCB44DF68C884A99B7F6FF49311B21C2A9E909AB365D734EC85CF80
                                                                                                                                                                                                                        Function 08036508 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: 4Y!q
                                                                                                                                                                                                                        • API String ID: 0-2533224860
                                                                                                                                                                                                                        • Opcode ID: e04642c54c6e424830ce98ed9be15dafde4c1bd11b63754a9dfaa02abff577d9
                                                                                                                                                                                                                        • Instruction ID: 2e9911e3b3cabf9178f53c50bb36e8614bd2d29b39629e504c82661598b465e0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e04642c54c6e424830ce98ed9be15dafde4c1bd11b63754a9dfaa02abff577d9
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5C81DE30B00225EFCB149F64E868BAEBBFAFF84711F10856DD4269B391CB759845CB90
                                                                                                                                                                                                                        Function 08031378 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 0-1051994633
                                                                                                                                                                                                                        • Opcode ID: 92ae2e505ee8ab9a01c5fa8d6c2de7431e9bbae37244ea78dcf863c06876b288
                                                                                                                                                                                                                        • Instruction ID: f9cb85a2ffba50c2186b741aefa6397c1dd1d46264c5ca4b286c03ddb21b267c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92ae2e505ee8ab9a01c5fa8d6c2de7431e9bbae37244ea78dcf863c06876b288
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 012122B5D002098FCB14CFAAC5846EEFBF5FF88314F14842AD929A7240DB75A945CFA1
                                                                                                                                                                                                                        Function 08031380 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 0-1051994633
                                                                                                                                                                                                                        • Opcode ID: 5c7c609f718203ee996b46b191170d1ee3ff126c2a76ace09e4f8ba48e156ddf
                                                                                                                                                                                                                        • Instruction ID: 96f43fc717ed8ee690cdb9a0710bbb1e50e255edc4552d51b3da1f02e9de7968
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c7c609f718203ee996b46b191170d1ee3ff126c2a76ace09e4f8ba48e156ddf
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 891106B5D002098FCB14DFAAC5846EEFBF5FF88314F50842AD51967240CB75A945CFA1
                                                                                                                                                                                                                        Function 080329C8 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b5e7832bc7aae75047b78285876d11837ed5095fe8825cf8a8e9c83458c5f5dc
                                                                                                                                                                                                                        • Instruction ID: 4fc7943cfb3778334b686fc43cddfc00f3cea5a7bf27a6135dfe0a49ca3bd7a6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5e7832bc7aae75047b78285876d11837ed5095fe8825cf8a8e9c83458c5f5dc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E918D35A00619CFCB04DF78D8945ADB7F6FF88311B15866AD809AB354EB74ED81CB90
                                                                                                                                                                                                                        Function 08031080 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: cc596aa9d09ee7c59f4dfc58805b00b754e52a48662b25d916669fe01a26a0f8
                                                                                                                                                                                                                        • Instruction ID: 2f0d3c54835ead96052ab095337de70026a33fcca1bd5a12e1fa22cd2ddcfff7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc596aa9d09ee7c59f4dfc58805b00b754e52a48662b25d916669fe01a26a0f8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55717535B011149FDB099BB9D865AAEB6EBBFCC311F158029E506AB390DE75DC028790
                                                                                                                                                                                                                        Function 08036F18 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 062e4441b99615373d117deef003c7880b841ee93cabb8f84d4ce4c5ed125d33
                                                                                                                                                                                                                        • Instruction ID: 47a7ea403a5844ec76eac3df3b058ed5451b9f9eb1cacb68a0e299838d2a84e2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 062e4441b99615373d117deef003c7880b841ee93cabb8f84d4ce4c5ed125d33
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5161D030D053488FCB02DF78D851ADD7FB2BF86300F15819AE145AF292DB785948CBA5
                                                                                                                                                                                                                        Function 08031630 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 9d7239bddacd5d416d2d032f4065d45ca97574570b2dab0d64cd17d89761ebf1
                                                                                                                                                                                                                        • Instruction ID: ee5e9e79422e5245948d6101e96e475ea94b2dbb5a1f262af567384854a68339
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d7239bddacd5d416d2d032f4065d45ca97574570b2dab0d64cd17d89761ebf1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5251A075B012598FC715DFB8D8406AEBBFBFBC9251B18816AE405D7355DA348D02C7A0
                                                                                                                                                                                                                        Function 080329AB Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 5e7af18352fc088c8a783b701b454deb0762958b732135adaa1e3f3c7347635b
                                                                                                                                                                                                                        • Instruction ID: efb55257c3952ec64115ada8c30bea0e00e59bf83a136d133ff221561aba8266
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e7af18352fc088c8a783b701b454deb0762958b732135adaa1e3f3c7347635b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57515A35B006148FCB05DF38D8959AEBBE7EF8921171985AAD846DF355DB38EC02CB90
                                                                                                                                                                                                                        Function 08030C1C Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 5581a50f8b14bef6a4ed7d7fda3300f07d0dfe07f4000b225e70061db46c49e1
                                                                                                                                                                                                                        • Instruction ID: e83bb9b9a73daa75e13db186be50f286426bf8811c7029bdf474e94eebade06e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5581a50f8b14bef6a4ed7d7fda3300f07d0dfe07f4000b225e70061db46c49e1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D551F334A043589FDB059B68C8657AE7FF7AF8E315F1484AAE406AB381CE794C028791
                                                                                                                                                                                                                        Function 080328B4 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 00486b00bcd9c0c71f38f3d7eb98304fe344c66de9caa807f58a29617512fb95
                                                                                                                                                                                                                        • Instruction ID: 7ff23c96c83771e407eee610902838099ce4abef2b1bbd5306ec5ea97c8090f1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00486b00bcd9c0c71f38f3d7eb98304fe344c66de9caa807f58a29617512fb95
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6410431B052658FCB099B39A8A577E3FEBEF86612F14446EE406CB395DE788C058394
                                                                                                                                                                                                                        Function 08036F78 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 0242c1521d5712306c126ed66353abb6a7a1f4bc09b9f70cdf427036dc37946f
                                                                                                                                                                                                                        • Instruction ID: a7c8b6f5cbbb4f7998f053bacaeeccfbd1297298f50135e1c5f8aa408e826f35
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0242c1521d5712306c126ed66353abb6a7a1f4bc09b9f70cdf427036dc37946f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9514F30E103099FDB04DFA8D855BDDBBB2FF99300F11862AE115AB290EB786955CF90
                                                                                                                                                                                                                        Function 08032268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 78e3c1c5207ff6ba9bcd4bdabbad0f0c6a92962da8cefb9f4dabe917630c4eab
                                                                                                                                                                                                                        • Instruction ID: 2a35df7089835634179241959369c940943b5f9f02d10a76215bbe5ab74458df
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78e3c1c5207ff6ba9bcd4bdabbad0f0c6a92962da8cefb9f4dabe917630c4eab
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C41F875B002189FCB54DF69D88199EBBF6FF88311B14816AE905EB361DB31EC42CB90
                                                                                                                                                                                                                        Function 080350C4 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: ae20e332016327fc8d61815f80a6df481785efe433e778a39b9f4c6de5ff8834
                                                                                                                                                                                                                        • Instruction ID: 92e8d0a5f51f2f6659eaaadca1162c8885101895ba850c345bcea77f68e3553e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae20e332016327fc8d61815f80a6df481785efe433e778a39b9f4c6de5ff8834
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C831C135A00218CFDB158B78D8547AE7BF7FF89305F14C529D802AB3A0CB749842CB90
                                                                                                                                                                                                                        Function 080350D0 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: ca7cc72c5ce8ae094d0b7803f78532ae9b6103827999ba24bacd58c3a9907b4a
                                                                                                                                                                                                                        • Instruction ID: 921c351950f3209892236334a79d302501412c782da1885377f73ca9d0e005d5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca7cc72c5ce8ae094d0b7803f78532ae9b6103827999ba24bacd58c3a9907b4a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0318E34A10218CFDB159B79D8546AE7BF7FB89305F14C529D802AB3A4DB759841CB90
                                                                                                                                                                                                                        Function 08036391 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: c9bfb1fd1114a639b911bbb4498a781e16bb414114bfebc2e0f17ac1d2c351ed
                                                                                                                                                                                                                        • Instruction ID: 4536e2a35c1024e4ea2af32d4333883667e18ac34ac5c98328153b422abe5cef
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9bfb1fd1114a639b911bbb4498a781e16bb414114bfebc2e0f17ac1d2c351ed
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E31D279E011189FCB04CFA9D48499DBBFAFF88311B25806AE815E7321DB35AC41CB90
                                                                                                                                                                                                                        Function 080363A0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: d00313cf0d39da63794171571af64ba2c83e41daf873c0c6ee981ab60f7a5f55
                                                                                                                                                                                                                        • Instruction ID: b6e204d75acc543d9e9b6a94551e5bd95bf3b1f7347451dc57c481472879b1fa
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d00313cf0d39da63794171571af64ba2c83e41daf873c0c6ee981ab60f7a5f55
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7631B275E011189FCB44DFA9E48499EBBFAFF98311B25806AE815E7361DB31EC41CB90
                                                                                                                                                                                                                        Function 080328C4 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 51682e6e73c471d1cfea3e2318aaec9e1c78fcf18102eb447feec9747ba76dc4
                                                                                                                                                                                                                        • Instruction ID: 951aceeac88d910d3d2d13c9c32853b7dd17a270d2d1f1d50698205773b117df
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51682e6e73c471d1cfea3e2318aaec9e1c78fcf18102eb447feec9747ba76dc4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9621377670A3248BC715563A94957BE3F9BAFC7212F15807AE9098B381CE788C02C361
                                                                                                                                                                                                                        Function 080328E4 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 9a9a02aa71eeb2f22edd164556ac4b29b49ed8764d533e5e6b0fa7dd0d9d62cc
                                                                                                                                                                                                                        • Instruction ID: fc6a14695c141c8f8c069947bb8cafaeaf62ca9ee8235ff3df3dda42e88d9637
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a9a02aa71eeb2f22edd164556ac4b29b49ed8764d533e5e6b0fa7dd0d9d62cc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2214C355063BD5FD71622B468547FA3F5F9F43223F1640BFFA488B266C9288841D3A0
                                                                                                                                                                                                                        Function 08032D60 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: fb0feb559e8700c8c94cf1f45880e2fd8e31d41a39d781619a9670e6b870c217
                                                                                                                                                                                                                        • Instruction ID: 5ca932e1732bb6af9bf4ea9b591d210994d8295556eab6f1674c24fb2a89e5a8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb0feb559e8700c8c94cf1f45880e2fd8e31d41a39d781619a9670e6b870c217
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A121DC317002299FDB189B299851BBF3BEBAF86617F14456DE40ACB284DB7888428790
                                                                                                                                                                                                                        Function 08038A10 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 45ddc9485d64f3342ec12dfa03156a759d7d0b414e1735caf82835e2abcc2307
                                                                                                                                                                                                                        • Instruction ID: fd732e763273da63e24520eb50f248a8236db81a20d623a22252e0fd88b3b34d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45ddc9485d64f3342ec12dfa03156a759d7d0b414e1735caf82835e2abcc2307
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48218030B006199BEB18DB64E858AAE7BFBAB88712F24852DE401A7380DF745D45CB90
                                                                                                                                                                                                                        Function 0803105F Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e247d081dbb744667676fef8a6fd13ea0a55c3239743c47011eb52726a465dbb
                                                                                                                                                                                                                        • Instruction ID: 1487119fd8627d6967e0ee38c3a7243d87c1a89bae812350eae371042a178abd
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e247d081dbb744667676fef8a6fd13ea0a55c3239743c47011eb52726a465dbb
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0B212936B04294DFDB028A7489616FE7FFB9F8D252F08407AE946DB251DE28CD038761
                                                                                                                                                                                                                        Function 08038A20 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1ef093ac5b4528f702f79a03d9046e8a208b5bf2c370ad57a1882fc3807ad381
                                                                                                                                                                                                                        • Instruction ID: 46357595d42eb3ed870a2e54f0e5fc7dd6d110a7b2d19204bf2e9bfa9fff8ca4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ef093ac5b4528f702f79a03d9046e8a208b5bf2c370ad57a1882fc3807ad381
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D214430B00619DBDB18DF54E895AAE77FBEB88712F24812DE402A7380DF745D41CB90
                                                                                                                                                                                                                        Function 080328D4 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 04a1589cb3011624b7f865b0b4d94c19eac21ac07e6d5bb17422de869aeaec9e
                                                                                                                                                                                                                        • Instruction ID: 4cc4a25e08d2b08492f30317097785e9ef12834fa1414f56bcae418361347543
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04a1589cb3011624b7f865b0b4d94c19eac21ac07e6d5bb17422de869aeaec9e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA110824B163784FDB25227954543FE2EEF4F82213F0444BEE946CB78ACD988C065392
                                                                                                                                                                                                                        Function 0803306F Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: f7b5bb367a248e8fbaacec9d7a9892895a8ca6dc4de59b75a7347a7eb5a434ab
                                                                                                                                                                                                                        • Instruction ID: 79e0a1c3a58e1c20dc6c8759b7a49142b765926105c5500bb5f91adb3b5e26dd
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7b5bb367a248e8fbaacec9d7a9892895a8ca6dc4de59b75a7347a7eb5a434ab
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6621D834A101199FDB04DBA4D851ADE7FF7AFCC316F158459E405AB390DE799842CB90
                                                                                                                                                                                                                        Function 08032258 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: d0023c6213bac27291b03c5bd0c0e35c85be8319b37af603ebbd8eed56e22e3c
                                                                                                                                                                                                                        • Instruction ID: 3e97b747e9b17eb4e671d93520664aa631a83cd79aa6d135dc1a9ad66ad046b9
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0023c6213bac27291b03c5bd0c0e35c85be8319b37af603ebbd8eed56e22e3c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B521F475A102189FCB48DFB8D8819DEBBF6FF8D311B10816AE805EB321D7319842CB90
                                                                                                                                                                                                                        Function 08033080 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 7de6214b0f4b518bfe63c46cbe2a6fa8f78335d876f934e4e654570645e187de
                                                                                                                                                                                                                        • Instruction ID: c25ba838e18dbbbbd68a874f288c29b9a3225c9b1f1a235b03cea6270b960390
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7de6214b0f4b518bfe63c46cbe2a6fa8f78335d876f934e4e654570645e187de
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82118134E102199FDB04DB68D851AAE7BFBAFCC315F158069E405AB380EE799C42CB90
                                                                                                                                                                                                                        Function 08039448 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 38f5c434157042e42c4eb1803de51a9abe412de2d372e643bfedf82fcfa99815
                                                                                                                                                                                                                        • Instruction ID: 64010301abad825846c8e31b9c5d3ea73feb75fdbe15384743c31c4955488f53
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38f5c434157042e42c4eb1803de51a9abe412de2d372e643bfedf82fcfa99815
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46115474E101189FDB04DB64D952AED7BABAF8C316F14849AE409AB380DF7D9C41CB90
                                                                                                                                                                                                                        Function 08039450 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8eb26fc5ce9b00217a367f39fa71e5c217abe5cc64df789645e6c4fbdae078eb
                                                                                                                                                                                                                        • Instruction ID: f27ccd81ce8072c0b626625638840d9e420c7d29cfc69140aaf53270f2f04d1f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8eb26fc5ce9b00217a367f39fa71e5c217abe5cc64df789645e6c4fbdae078eb
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2110674E101189FDB04DB54D952AAD7BBBAFCD316F148499E405AB380DF7D6C41CB90
                                                                                                                                                                                                                        Function 08031958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 66ea65d72a5cdb8b9e7be3d0c980367c5bef91149ca2c5f1d02ac03a23194f01
                                                                                                                                                                                                                        • Instruction ID: ca30b04e343640793f9dabe16e204e76178125594c6d46174de16669de1300de
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66ea65d72a5cdb8b9e7be3d0c980367c5bef91149ca2c5f1d02ac03a23194f01
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B7218435A10248DFDB04CF68D856AAD7FB3EF8D318F148499E406AB350DE7D5842CB90
                                                                                                                                                                                                                        Function 08032CD0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a21ac340d7e0264b7cc5c73f198d0eab2a584f7efd5ace960f61443bc4ad5437
                                                                                                                                                                                                                        • Instruction ID: 9fe16042fd109ec3d834e8980c4f6cf25d9cbb00e7e94023b82ea0d8290bf285
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a21ac340d7e0264b7cc5c73f198d0eab2a584f7efd5ace960f61443bc4ad5437
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B401C436B002288BDF189AA9D8002EEB7FBEF8C317F04403AC505B7350DB799946C7A4
                                                                                                                                                                                                                        Function 08038038 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1cbbab9ee5a3829c0d7b9797f1d6a81ed1160678ed03d710946564a832a96d27
                                                                                                                                                                                                                        • Instruction ID: 66c0600bd816f6181d250f88d74b8c0c2d2f8d1231f2fab8c9cc9d1bed2adf60
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1cbbab9ee5a3829c0d7b9797f1d6a81ed1160678ed03d710946564a832a96d27
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5014F773000108B8A44DA6EF8959AEB7EAFBC9236315817BF509C7351CA76EC0287A4
                                                                                                                                                                                                                        Function 08031968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 08511468719a241ed06705e75b9245f482788cc31e86d9049608cc149b3d307e
                                                                                                                                                                                                                        • Instruction ID: 377c3e1469f2bd2115c8cf366c122820b56d6f685564099af3b4a2a72fb193b7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08511468719a241ed06705e75b9245f482788cc31e86d9049608cc149b3d307e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23110035A20209DFDB04DB58D856A9D7FB7AB8C318F148469E406AB350DE795842CB90
                                                                                                                                                                                                                        Function 08032CC4 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 0ff7f9b5116fa274843a00a8ac1f6f8c9381d83bbb77cb7c0d42654186eb4a2e
                                                                                                                                                                                                                        • Instruction ID: 35f9b1403f52d4cbd33e69e9c533e892e662d27ff819a77d1cf7559fb5b05627
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ff7f9b5116fa274843a00a8ac1f6f8c9381d83bbb77cb7c0d42654186eb4a2e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6015279A002288BDF18DBA8C9003EDBBFBAF88217F14846AC105B7254DA75994587A5
                                                                                                                                                                                                                        Function 08031440 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e46fe126c4f7f969bc6b4a5db91627f0fd351b72327394ce9c8525d3332a4b5f
                                                                                                                                                                                                                        • Instruction ID: a913c28ca6131a4973b470ee4ab8c472235cf6d8111fa129f5298d18465f394b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e46fe126c4f7f969bc6b4a5db91627f0fd351b72327394ce9c8525d3332a4b5f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B201B531A2A2868FCF098B7869220293FEBDEC221531509EFE846CF151FD1848058791
                                                                                                                                                                                                                        Function 08036A1F Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 47cbd9fc2694808e6872eb6571f6b6e0a1044ccab5d70585a21427e63f8b9362
                                                                                                                                                                                                                        • Instruction ID: 64451b8fb40aff39e6f99ceac6e77a6741c8060ae880e7a4807dd9a5b8107b25
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47cbd9fc2694808e6872eb6571f6b6e0a1044ccab5d70585a21427e63f8b9362
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A01F5357056288BDB09ABB8C5143DF7AEB9B88201F24C43ED406A7380CF794D05CBD1
                                                                                                                                                                                                                        Function 08036B0C Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a12dfb3ad81e61b65b9e5cf51b21b955f6427436e116ba908e29811b1e6bcdb8
                                                                                                                                                                                                                        • Instruction ID: 5ea867e92886cd165391049896bfaff684c1acc00c5a01c9f66c92c8ded9523e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a12dfb3ad81e61b65b9e5cf51b21b955f6427436e116ba908e29811b1e6bcdb8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91F07D32B052387BD70817645C103FD779BDBD2313F04806ED1559F3D0DA6794829B80
                                                                                                                                                                                                                        Function 08036A30 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a811617cccdf449b97d3f54cdeb0adbd1b7c033e5cd6f0e6897e54f75cc5f89a
                                                                                                                                                                                                                        • Instruction ID: c3a63543164dd07345dd9620ae2e2a7003f7a25cf5effe4a6fc513d43eefeb82
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a811617cccdf449b97d3f54cdeb0adbd1b7c033e5cd6f0e6897e54f75cc5f89a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4018F317056289BDB19AA69C8187EF7AEB9BC9601F20802DD406A7380CE754D05CBD1
                                                                                                                                                                                                                        Function 0503D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000002.1360778549.000000000503D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0503D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_503d000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a48b80832f8a202f8db549ccfe61b3d97f9918e3e6dcb7641db4cbd9ea81298c
                                                                                                                                                                                                                        • Instruction ID: e20d6003e7fc9f3fe546588f8ccbaeda9cb08e914ad5818931f4b0f5c5d78795
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a48b80832f8a202f8db549ccfe61b3d97f9918e3e6dcb7641db4cbd9ea81298c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A301B17200D3809FE7128B25DC95B66BFE8EF42620F0880DBE8848F293C2799C45CB71
                                                                                                                                                                                                                        Function 0503D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000002.1360778549.000000000503D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0503D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_503d000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 4a6615e0ce58843787764ff1ebee54b7960da9fa080e82ba74fdbf4c85f8ed13
                                                                                                                                                                                                                        • Instruction ID: acb23fe66bdf2c9319313ce10147c8183887c42d1c2d4bb431635eddb91a4ba7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a6615e0ce58843787764ff1ebee54b7960da9fa080e82ba74fdbf4c85f8ed13
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9501F7325093409AE7108A29E885B6FBFDDEF41BA0F48C09AED460B282C279D841C6B1
                                                                                                                                                                                                                        Function 0803182A Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 249a5464c0505da4eef3b63214c528f903b0647751ed738904c16be5c61d7a86
                                                                                                                                                                                                                        • Instruction ID: 98c629087fce4b1a49167646af9105f784da0d60345ebd953e77c2ff1c76d448
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 249a5464c0505da4eef3b63214c528f903b0647751ed738904c16be5c61d7a86
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6601F235B0462947EB15ABAC86553EF7BFB9F8E701F2580ADD002EB381CE750C0187A1
                                                                                                                                                                                                                        Function 08039348 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 670787725337b32b770e5a2fbeb572bd41e86d80b1f07bbe3c88c1d0183ffd2e
                                                                                                                                                                                                                        • Instruction ID: bdba4d22ed41c21ba29f719ac9ac56b30d810d4176256cb673883acc1a1968e3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 670787725337b32b770e5a2fbeb572bd41e86d80b1f07bbe3c88c1d0183ffd2e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68F05CB630533093DB20953764D5A7F6ACFAFC9616F04813DF90987380DAB58C02D2A0
                                                                                                                                                                                                                        Function 08037FC0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 075d7d75a1ae9870a620ba87bc142b38c63ce53695d656b8259dd8f7f781dad3
                                                                                                                                                                                                                        • Instruction ID: a7c5109fcf7b1ef92228f983089e27505a5d14c18957662fde3ee05a0e39c97e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 075d7d75a1ae9870a620ba87bc142b38c63ce53695d656b8259dd8f7f781dad3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9AF0AE3130031547C720565EEC8549F77DFEFC0621300953EE509CB240EEE9AD014BA0
                                                                                                                                                                                                                        Function 08035278 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8106350b9d83dfd75de6ec77e5df385d350f3057ab97fb8d71a694ea70cf77bd
                                                                                                                                                                                                                        • Instruction ID: 12b6c879aeb042a62b763962a94378a3d3bc10f526bf41631cce56ac6b2a54ee
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8106350b9d83dfd75de6ec77e5df385d350f3057ab97fb8d71a694ea70cf77bd
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69F027323083810BD302562AE850697BFDDDFC7224F2540BAC088CB253CA795805C3A1
                                                                                                                                                                                                                        Function 0803934D Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: debe0b4f6d41d4885a0edef606ad8006dc2af917e8441c9ee9e983ca477474c8
                                                                                                                                                                                                                        • Instruction ID: 6e70c4595c9289497c6a2c5fbed1dd9f781ee07f210fc8e14ed67443a2e1654f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: debe0b4f6d41d4885a0edef606ad8006dc2af917e8441c9ee9e983ca477474c8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3EF0ECBA70533087D724957655C177E6BCF6FC9517B04403DE909873C0DAB488019650
                                                                                                                                                                                                                        Function 08031431 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: f7506322415c4bf1bf4eee4b151019f3f6153572595a62bfa1dff1a8a423deeb
                                                                                                                                                                                                                        • Instruction ID: 23233054c891507d3e216abe867b1a5cc048f57ae5efd28059ab0bd23411d385
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7506322415c4bf1bf4eee4b151019f3f6153572595a62bfa1dff1a8a423deeb
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABF06D31E352868BDF0D8FB8A52206D3FE7AEC221530509EF9442CF191FD2C5405CB91
                                                                                                                                                                                                                        Function 08037FBF Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 669847461f2ebfd9feb5d7fbd3cfd9c39677d0e29a7e30ee8f8e1742d696b09f
                                                                                                                                                                                                                        • Instruction ID: ed2589342e14b94145fa9caf1337c002064ad2e29851bf56173390036e9145ba
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 669847461f2ebfd9feb5d7fbd3cfd9c39677d0e29a7e30ee8f8e1742d696b09f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0F0A7717003158BC721965DEC855AF77DFEFC0222304993EE50ACB280EEF999014BA0
                                                                                                                                                                                                                        Function 08032F00 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: a1a05e9f342f3d205c4eca81a07d7ea90a953514e3b4d71a85b718b683fee58b
                                                                                                                                                                                                                        • Instruction ID: 4e9280bb4a6aaac1d1a005ee305a2a229fd4689ae26c02cda04e09a8f3d7ab1c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a1a05e9f342f3d205c4eca81a07d7ea90a953514e3b4d71a85b718b683fee58b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEE0DF21B017780AEF7822A19A403AB18CF0F41607F0104BED88686B9BD9D4C84623A2
                                                                                                                                                                                                                        Function 08035288 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e0913b3f098457a9f07b62342d312b36471a02b369cc2c12722875346583e770
                                                                                                                                                                                                                        • Instruction ID: 9b19fa978bc1a8df8d40885265b1f5fa2a011ac4e9cdd21eb7ecc072071fcfa2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0913b3f098457a9f07b62342d312b36471a02b369cc2c12722875346583e770
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8CE086327002005BD3149A6EE88595BB3DEDBD9634B154479D50DDB355CD7AAC46C2D0
                                                                                                                                                                                                                        Function 08037F3F Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 6743b730f6bc868c92464680e25363ac556dfa40a49b282735c4cbdf4e20d5f5
                                                                                                                                                                                                                        • Instruction ID: c5c8e97f51ca599fcba0c7669354c354de68d96d179bbd68bcd88045d57f1efb
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6743b730f6bc868c92464680e25363ac556dfa40a49b282735c4cbdf4e20d5f5
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19E06D3090A3C89FCB02CB78D99549DBFB19E42210B2586DEC489DB292D6B51E08DB02
                                                                                                                                                                                                                        Function 08032958 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 3904a55c2c39833548c35435e141bce01937079c89b535f185f61b9caf1c7022
                                                                                                                                                                                                                        • Instruction ID: 0f9170fa42e1f0469fb1f0d2e686d816694eb8b225f5562b5bd7b047f67cc09b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3904a55c2c39833548c35435e141bce01937079c89b535f185f61b9caf1c7022
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6AE04F71E06288DFCB40DFB8E8599ED7FB2EB51204B1005DDC84AE7251E57A0E15DB41
                                                                                                                                                                                                                        Function 08032F80 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 70d083a0649a9ec94c960c413da8af5954923eb370553c89a8b35bd116aed5cc
                                                                                                                                                                                                                        • Instruction ID: 080231b46d43e6909d670eebd1751410e322226c465b43acc9f8812872316a7d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70d083a0649a9ec94c960c413da8af5954923eb370553c89a8b35bd116aed5cc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9D05E21E563B58FCB2612B860452F66FAE4F86023B0545FAE956CF61AC92848065381
                                                                                                                                                                                                                        Function 080317F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 52bfdc8468fc65a2f4adce518f85cedd0f267b948ea04446a3d9469fb6a48265
                                                                                                                                                                                                                        • Instruction ID: 6468d53d14b686155cd23ca87c955477c70edf3942057a6871c973175c78d2d3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52bfdc8468fc65a2f4adce518f85cedd0f267b948ea04446a3d9469fb6a48265
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3D05B3620A1E44FC3079774A5624E53F769B5B21130940F7D4858F356C5650C52D751
                                                                                                                                                                                                                        Function 08030C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: d2cc85a532c1465d621ccf982493332f56764920dee141acb7cec16cf64f6714
                                                                                                                                                                                                                        • Instruction ID: c427a193f0aaf48ae1db5345a503c88488e58afcd91250217d42f864f61958a4
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2cc85a532c1465d621ccf982493332f56764920dee141acb7cec16cf64f6714
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94D0A73522212C6F8604675CD8865AE3A9FFF483913500037F4068B300CDA45C10C3D8
                                                                                                                                                                                                                        Function 08032968 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 4599404ab3b33439a279aabcc16119f398631198aca82a48c35c0d3d3cbc9ffc
                                                                                                                                                                                                                        • Instruction ID: 5b61627db8c8910b3be4202de597f534c7bb57a48f7029dbc5081b764f60b727
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4599404ab3b33439a279aabcc16119f398631198aca82a48c35c0d3d3cbc9ffc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60D05E70A0120CEFCB44EFB8ED418EEB7FBEB84205B5049ADD509D7240EA362F009B90
                                                                                                                                                                                                                        Function 08037F50 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 8d3cb9546b62c667b6330245d35592ca699fff6d9be98cf3809ddc70eb2c4fed
                                                                                                                                                                                                                        • Instruction ID: e7701d000e00997b5d974dcff51446ac6bd8abd02d29ee73ac459304e12aa6b7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d3cb9546b62c667b6330245d35592ca699fff6d9be98cf3809ddc70eb2c4fed
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6D01230A0110CEBCB00DFA8D94549D77BAEB45205B10469DD509D7280EA722F049B50
                                                                                                                                                                                                                        Function 08030440 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000004.00000003.1360008551.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_8030000_rundll32.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 575a55f5d7b910eac5855863b1e960ebf4623677b3f4ee1ab915df13993d6fac
                                                                                                                                                                                                                        • Instruction ID: ca36a23624af5b704b002681486cbf7930a9ab9ab39558bf4655fcbacdb9df45
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 575a55f5d7b910eac5855863b1e960ebf4623677b3f4ee1ab915df13993d6fac
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34D012B251A7805FC3534BB844044A67FB1AE2332238841E7C080CE053E1154946D731

                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                        Execution Coverage:10.4%
                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                        Signature Coverage:12.9%
                                                                                                                                                                                                                        Total number of Nodes:116
                                                                                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                                                                                        execution_graph 42074 5500040 42075 5500071 42074->42075 42076 5500207 42075->42076 42081 55016a0 42075->42081 42085 550168f 42075->42085 42089 550bacf 42076->42089 42077 5500a4e 42077->42077 42082 55016af 42081->42082 42097 5501701 42082->42097 42086 550169c 42085->42086 42088 5501701 2 API calls 42086->42088 42087 55016c4 42087->42076 42088->42087 42090 550baee 42089->42090 42092 550bb07 42090->42092 42110 550c028 42090->42110 42117 550c038 42090->42117 42091 550bb30 42093 550c038 3 API calls 42091->42093 42094 550c028 3 API calls 42091->42094 42092->42077 42093->42092 42094->42092 42098 5501704 42097->42098 42102 55025d0 42098->42102 42106 55025c8 42098->42106 42099 5501809 42104 5502623 CreateProcessAsUserW 42102->42104 42105 55026b4 42104->42105 42105->42099 42108 5502623 CreateProcessAsUserW 42106->42108 42109 55026b4 42108->42109 42109->42099 42112 550c02c 42110->42112 42113 550c07c 42112->42113 42124 550bc78 42112->42124 42128 54e01f3 42113->42128 42133 54e0200 42113->42133 42118 550c045 42117->42118 42119 550bc78 WaitNamedPipeW 42118->42119 42120 550c07c 42118->42120 42119->42118 42122 54e01f3 2 API calls 42120->42122 42123 54e0200 2 API calls 42120->42123 42121 550c087 42121->42091 42122->42121 42123->42121 42125 550c0f0 WaitNamedPipeW 42124->42125 42127 550c16c 42125->42127 42127->42112 42129 54e0200 42128->42129 42138 54e0244 42129->42138 42142 54e0250 42129->42142 42134 54e0213 42133->42134 42136 54e0244 CreateFileA 42134->42136 42137 54e0250 CreateFileA 42134->42137 42135 54e0238 42135->42091 42136->42135 42137->42135 42139 54e024f 42138->42139 42139->42139 42140 54e0323 CreateFileA 42139->42140 42141 54e0385 42140->42141 42143 54e02ae CreateFileA 42142->42143 42145 54e0385 42143->42145 42150 55010a0 42154 5501100 42150->42154 42158 55010f4 42150->42158 42155 5501101 ConnectNamedPipe 42154->42155 42157 5501190 42155->42157 42159 55010fa ConnectNamedPipe 42158->42159 42161 5501190 42159->42161 42161->42161 42006 17c1238 42007 17c1249 42006->42007 42010 17c0e24 42007->42010 42011 17c0e2d 42010->42011 42012 17c0e9e 42011->42012 42016 17c36b0 42011->42016 42022 17c36a1 42011->42022 42013 17c1282 42017 17c36c0 42016->42017 42028 17c4c60 42017->42028 42018 17c36cc 42019 17c3739 42018->42019 42033 17ce5c7 42018->42033 42019->42013 42023 17c36af 42022->42023 42026 17c4c60 RtlGetVersion 42023->42026 42024 17c36cc 42025 17c3739 42024->42025 42027 17ce5c7 CryptProtectData 42024->42027 42025->42013 42026->42024 42027->42025 42030 17c4c67 42028->42030 42029 17c4cc6 42029->42018 42030->42029 42031 17c4d1d RtlGetVersion 42030->42031 42032 17c4dda 42031->42032 42032->42018 42034 17ce5f4 42033->42034 42035 17ce60e 42033->42035 42034->42035 42038 3fd0ae1 42034->42038 42041 3fd0af0 42034->42041 42035->42019 42039 3fd0b15 42038->42039 42044 3fd0b23 42038->42044 42039->42035 42043 3fd0b23 CryptProtectData 42041->42043 42042 3fd0b15 42042->42035 42043->42042 42046 3fd0b2e 42044->42046 42045 3fd0b4d 42045->42039 42046->42045 42050 3fd1138 42046->42050 42058 3fd1127 42046->42058 42047 3fd0bd5 42047->42039 42051 3fd115d 42050->42051 42054 3fd1224 42050->42054 42051->42054 42056 3fd1138 CryptProtectData 42051->42056 42057 3fd1127 CryptProtectData 42051->42057 42066 3fd138e 42051->42066 42070 3fd0e48 42054->42070 42056->42054 42057->42054 42059 3fd115d 42058->42059 42062 3fd1224 42058->42062 42059->42062 42063 3fd138e CryptProtectData 42059->42063 42064 3fd1138 CryptProtectData 42059->42064 42065 3fd1127 CryptProtectData 42059->42065 42060 3fd0e48 CryptProtectData 42061 3fd144d 42060->42061 42061->42047 42062->42060 42063->42062 42064->42062 42065->42062 42067 3fd13a3 42066->42067 42068 3fd0e48 CryptProtectData 42067->42068 42069 3fd144d 42068->42069 42069->42054 42071 3fd1638 CryptProtectData 42070->42071 42073 3fd144d 42071->42073 42073->42047 42146 54e29e0 42147 54e29e4 42146->42147 42148 54e2a99 RegDisablePredefinedCache 42147->42148 42149 54e2a7c 42147->42149 42148->42149

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 017C4C60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 45 17c4c60-17c4cb3 51 17c4cb5-17c4cc4 call 17c4848 45->51 52 17c4d02-17c4d08 45->52 55 17c4d09-17c4dd8 RtlGetVersion 51->55 56 17c4cc6-17c4ccb 51->56 61 17c4dda-17c4de0 55->61 62 17c4de1-17c4e24 55->62 68 17c4cce call 17c52f8 56->68 69 17c4cce call 17c52e8 56->69 57 17c4cd4 57->52 61->62 66 17c4e2b-17c4e32 62->66 67 17c4e26 62->67 67->66 68->57 69->57
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • RtlGetVersion.NTDLL(0000009C), ref: 017C4DBE
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3189578581.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_17c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: Version
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 1889659487-1051994633
                                                                                                                                                                                                                        • Opcode ID: c80eb14fe67f3967482000014851a5460a8848233e62bfe977a82a1387e22eaf
                                                                                                                                                                                                                        • Instruction ID: d2152ee2f06f712d057c7c302bb121bc7a4f3015d0789af79f354a7711b48ec7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c80eb14fe67f3967482000014851a5460a8848233e62bfe977a82a1387e22eaf
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F441AE71A01219DFDB24EF69C8187ADFBB5FB45310F0041AAD519A7280DB745A85CFD2
                                                                                                                                                                                                                        Function 055025D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93processCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 70 55025d0-5502621 71 5502623-5502629 70->71 72 550262c-5502630 70->72 71->72 73 5502632-5502635 72->73 74 5502638-550264d 72->74 73->74 75 550265b-55026b2 CreateProcessAsUserW 74->75 76 550264f-5502658 74->76 77 55026b4-55026ba 75->77 78 55026bb-55026e3 75->78 76->75 77->78
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 0550269F
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217961530.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_5500000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 2217836671-1051994633
                                                                                                                                                                                                                        • Opcode ID: 1324930f47768d8ee22c855a20a82b4ad67d7d203b227a687fc11f6f448909ee
                                                                                                                                                                                                                        • Instruction ID: 55b4b81fcc942fda463d6bfe68fd012284f70aab67373b608bd909126e1c1965
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1324930f47768d8ee22c855a20a82b4ad67d7d203b227a687fc11f6f448909ee
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED411376900209DFCF11CFA9C884ADEBBF6FF48310F15842AE918A7250D775A955CF90
                                                                                                                                                                                                                        Function 03FD0E48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64encryptionCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 145 3fd0e48-3fd1678 147 3fd167a-3fd167d 145->147 148 3fd1680-3fd16c1 CryptProtectData 145->148 147->148 149 3fd16ca-3fd16f2 148->149 150 3fd16c3-3fd16c9 148->150 150->149
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03FD16AE
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3209706214.0000000003FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FD0000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_3fd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CryptDataProtect
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 3091777813-1051994633
                                                                                                                                                                                                                        • Opcode ID: 011af68545750ed03df81e39972f9709ba51cb934baa7ec3678cb2cca96c5bf8
                                                                                                                                                                                                                        • Instruction ID: 14cb0838ada8b6fe8cad43fc5bb84f1c8911a5bf4a3787ab68facf6ff1a6a39c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 011af68545750ed03df81e39972f9709ba51cb934baa7ec3678cb2cca96c5bf8
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D2128B680024ADFCF10CF9AC844ADEBBF6FB48310F18842AE914A7240D775A555CFA5
                                                                                                                                                                                                                        Function 03FD1631 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64encryptionCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 153 3fd1631-3fd1678 155 3fd167a-3fd167d 153->155 156 3fd1680-3fd16c1 CryptProtectData 153->156 155->156 157 3fd16ca-3fd16f2 156->157 158 3fd16c3-3fd16c9 156->158 158->157
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03FD16AE
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3209706214.0000000003FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FD0000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_3fd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CryptDataProtect
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 3091777813-1051994633
                                                                                                                                                                                                                        • Opcode ID: 77c0015d77732c111453ab486e55907e7a3eae149c6d97fccf1192e89a65b9ba
                                                                                                                                                                                                                        • Instruction ID: edca882ee958fcc973c051ae9327d12cb5faf98c1fe83e0ad96034497bcceba3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77c0015d77732c111453ab486e55907e7a3eae149c6d97fccf1192e89a65b9ba
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 132105B6C0024A9FCF11CF9AC844ADEBBF6FB48350F18842AE914A7240D775A555CFA5
                                                                                                                                                                                                                        Function 05500040 Relevance: .6, Instructions: 567COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217961530.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_5500000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 63658182fb04628036d86f9dee41538f5afed652ec8bae8b41d359d9ad98c3ae
                                                                                                                                                                                                                        • Instruction ID: 9cc399a339c500db574e9fb34b87c0190974b136a0201a1c2bc0631791befab6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63658182fb04628036d86f9dee41538f5afed652ec8bae8b41d359d9ad98c3ae
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0322B74A002198FDB54DF68D854AADBBF2FF88304F1485AAD50AE7395DB70AD81CF90
                                                                                                                                                                                                                        Function 054E0244 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 0 54e0244-54e024d 1 54e02ce-54e02d3 0->1 2 54e024f-54e02ac 0->2 4 54e0300-54e0383 CreateFileA 1->4 5 54e02d5-54e02d7 1->5 3 54e02ae-54e02cc 2->3 2->4 3->1 14 54e038c-54e03ca 4->14 15 54e0385-54e038b 4->15 6 54e02fa-54e02fd 5->6 7 54e02d9-54e02e3 5->7 6->4 9 54e02e7-54e02f6 7->9 10 54e02e5 7->10 9->9 12 54e02f8 9->12 10->9 12->6 19 54e03cc-54e03d0 14->19 20 54e03da 14->20 15->14 19->20 21 54e03d2 19->21 22 54e03db 20->22 21->20 22->22
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 054E036D
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217714664.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_54e0000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 823142352-1051994633
                                                                                                                                                                                                                        • Opcode ID: b4d79b0e9830e5275836f122c4f1e3abbcbf7bbaab34b2079bc8727c511e1d3f
                                                                                                                                                                                                                        • Instruction ID: 50ba801d09c63057724e8d8645016cf9b6aa48ed7e750ebeb50c453df29e49ea
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4d79b0e9830e5275836f122c4f1e3abbcbf7bbaab34b2079bc8727c511e1d3f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A514771D00249CFDB14CFA9C948BDEBBF2FB48304F24816AE819AB394D7B49845CB81
                                                                                                                                                                                                                        Function 054E0250 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 23 54e0250-54e02ac 24 54e02ae-54e02d3 23->24 25 54e0300-54e0383 CreateFileA 23->25 24->25 30 54e02d5-54e02d7 24->30 31 54e038c-54e03ca 25->31 32 54e0385-54e038b 25->32 33 54e02fa-54e02fd 30->33 34 54e02d9-54e02e3 30->34 41 54e03cc-54e03d0 31->41 42 54e03da 31->42 32->31 33->25 35 54e02e7-54e02f6 34->35 36 54e02e5 34->36 35->35 39 54e02f8 35->39 36->35 39->33 41->42 43 54e03d2 41->43 44 54e03db 42->44 43->42 44->44
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 054E036D
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217714664.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_54e0000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 823142352-1051994633
                                                                                                                                                                                                                        • Opcode ID: 9d667275b5a135114b420fa9fa66fc867c5fc0e772d6f47e9259a0d0cf4cd66b
                                                                                                                                                                                                                        • Instruction ID: 67170171dee1a240300011f8ccba50e59ae2f2abadd1896d33cc98c954612e49
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d667275b5a135114b420fa9fa66fc867c5fc0e772d6f47e9259a0d0cf4cd66b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB413771D00249DFDB14CFA9C948BDEBBF2BB48304F14812AE819AB390D7B59845CF91
                                                                                                                                                                                                                        Function 055025C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92processCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 81 55025c8-5502621 82 5502623-5502629 81->82 83 550262c-5502630 81->83 82->83 84 5502632-5502635 83->84 85 5502638-550264d 83->85 84->85 86 550265b-55026b2 CreateProcessAsUserW 85->86 87 550264f-5502658 85->87 88 55026b4-55026ba 86->88 89 55026bb-55026e3 86->89 87->86 88->89
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 0550269F
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217961530.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_5500000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 2217836671-1051994633
                                                                                                                                                                                                                        • Opcode ID: 7f38845d3001cea4760a8cd1178c5702c5c779428fe72efc7b1df9b6c1d2d1fc
                                                                                                                                                                                                                        • Instruction ID: db4819099429b67335d884dffcf0b7cbcc95b66f525cd7ef1b98613e4e28ca3e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f38845d3001cea4760a8cd1178c5702c5c779428fe72efc7b1df9b6c1d2d1fc
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F41567A900209DFCF10CFA9C884ADEBBF2FF48310F14842AE858A7250D734A955CF90
                                                                                                                                                                                                                        Function 054E29E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91registryCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 92 54e29e0-54e2a6b 100 54e2a7c-54e2a94 92->100 101 54e2a6d-54e2a7a 92->101 102 54e2b56-54e2b5e 100->102 101->100 105 54e2a99-54e2ac8 RegDisablePredefinedCache 101->105 108 54e2b5f 102->108 106 54e2aca-54e2ad0 105->106 107 54e2ad1-54e2aec call 54e28a8 105->107 106->107 112 54e2af1-54e2b0d 107->112 108->108 115 54e2b0f 112->115 116 54e2b18 112->116 115->116 116->102
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • RegDisablePredefinedCache.ADVAPI32 ref: 054E2AB1
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217714664.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_54e0000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: CacheDisablePredefined
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 1885667121-1051994633
                                                                                                                                                                                                                        • Opcode ID: e6209f951935bdc175e2d7ec38b2fee02989f6ec060dd4a449741e62f560e82d
                                                                                                                                                                                                                        • Instruction ID: 1b6eb6bd11b5dc32937d22b19f3b7cdeec3ae67730630cbf3296b46509a8579d
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6209f951935bdc175e2d7ec38b2fee02989f6ec060dd4a449741e62f560e82d
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E316774D00209DFDB24DFA5D948BDEBBBABF88314F14842AD806A7384DBB46845CF91
                                                                                                                                                                                                                        Function 055010F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71pipeCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 117 55010f4-55010f8 118 55010fa 117->118 119 550110c-550118e ConnectNamedPipe 117->119 120 5501100 118->120 121 55010fc 118->121 125 5501190-5501196 119->125 126 5501197-55011d9 119->126 122 5501101-5501109 120->122 121->122 123 55010fe 121->123 122->119 123->120 125->126 130 55011e3 126->130 131 55011db 126->131 132 55011e4 130->132 131->130 132->132
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • ConnectNamedPipe.KERNEL32(00000000), ref: 05501178
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217961530.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_5500000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ConnectNamedPipe
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 2191148154-1051994633
                                                                                                                                                                                                                        • Opcode ID: 0dbd77dbee04214070d0353b8566fc7c86fc7ee1926c01e522f121b85e29f540
                                                                                                                                                                                                                        • Instruction ID: 2009d293867357e9aacce49ae90225ce15bb21bae6c9b09e455b98cfdb8c92a7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0dbd77dbee04214070d0353b8566fc7c86fc7ee1926c01e522f121b85e29f540
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B3124B4D042489FCB28CFAAD984B9EBFF5BF48340F14805AE819A7380DB749944CF91
                                                                                                                                                                                                                        Function 05501100 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65pipeCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 133 5501100-550118e ConnectNamedPipe 137 5501190-5501196 133->137 138 5501197-55011d9 133->138 137->138 142 55011e3 138->142 143 55011db 138->143 144 55011e4 142->144 143->142 144->144
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • ConnectNamedPipe.KERNEL32(00000000), ref: 05501178
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217961530.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_5500000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: ConnectNamedPipe
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 2191148154-1051994633
                                                                                                                                                                                                                        • Opcode ID: 6a1ef797208c73b385241c2d54c82580300c7dc2ce564bdd6993f44ac4f7c987
                                                                                                                                                                                                                        • Instruction ID: ed5a5dacc1c06faf40f979ef3f2abf92fe1abcbc02a2c05e4aeca0f363549dc2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a1ef797208c73b385241c2d54c82580300c7dc2ce564bdd6993f44ac4f7c987
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9021F5B0D002589FCB14CFAAD984B9EBBF5BF48700F14805AE819A7380DB745945CF91
                                                                                                                                                                                                                        Function 0550C0E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59pipeCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 169 550c0e8-550c130 170 550c132-550c135 169->170 171 550c138-550c16a WaitNamedPipeW 169->171 170->171 172 550c173-550c19b 171->172 173 550c16c-550c172 171->173 173->172
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,0550C05E), ref: 0550C157
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217961530.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_5500000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: NamedPipeWait
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 3146367894-1051994633
                                                                                                                                                                                                                        • Opcode ID: c021f80ed7240e93b49271eec8d82a18716dc2d6d6b02c2dcce302302f272c80
                                                                                                                                                                                                                        • Instruction ID: 0edf3d6933d22a73cea047ce4b0199647f7a5dabb8198d64b992762b84b4a387
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c021f80ed7240e93b49271eec8d82a18716dc2d6d6b02c2dcce302302f272c80
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 172134B680020A8FCB10CFAAC44469EFBF4FB49310F14856ED869A7240D778A946CFA1
                                                                                                                                                                                                                        Function 0550BC78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59pipeCOMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 161 550bc78-550c130 163 550c132-550c135 161->163 164 550c138-550c16a WaitNamedPipeW 161->164 163->164 165 550c173-550c19b 164->165 166 550c16c-550c172 164->166 166->165
                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,0550C05E), ref: 0550C157
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3217961530.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_5500000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: NamedPipeWait
                                                                                                                                                                                                                        • String ID: $Gnr
                                                                                                                                                                                                                        • API String ID: 3146367894-1051994633
                                                                                                                                                                                                                        • Opcode ID: ee8fdee41f23054be97711aa2070bdd401626b570611becd4e6c25e4170cdca3
                                                                                                                                                                                                                        • Instruction ID: b517060ed4e1bd2d70c219ea342ab96355864bd92d29ae38bd3895b9738a767b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee8fdee41f23054be97711aa2070bdd401626b570611becd4e6c25e4170cdca3
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B2115B68002098FCB10CF9AC4447AEFBF5FB49324F14852ED469A7340D778A945CFA5
                                                                                                                                                                                                                        Function 0110D670 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3188490519.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_110d000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: eb6078d85bfe783e043e7114b746ef6b1c3e964de35435f02e9a68a3a4947967
                                                                                                                                                                                                                        • Instruction ID: 87890dcb50a3bc7359e3fc349a6c7afb4d545ae25765baf91384d24ec9120e43
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb6078d85bfe783e043e7114b746ef6b1c3e964de35435f02e9a68a3a4947967
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28212BB5904244DFDF0ADF98E9C0B26BF66FB84314F248569D8090B286C376D455CBA2
                                                                                                                                                                                                                        Function 0110D66B Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3188490519.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_110d000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 65e2f1dd3d008180d59e5fc821231efecf35c85db0d6cb3f99c50c54078436f6
                                                                                                                                                                                                                        • Instruction ID: f9e5e8074957c87700fb85dd91d2f25f2b7f5dff999c47ce0f47f7e258a1c409
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65e2f1dd3d008180d59e5fc821231efecf35c85db0d6cb3f99c50c54078436f6
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A11DF76804284CFCF17CF54D9C0B1ABF62FB88324F2486A9D8080B256C336D456CBA2
                                                                                                                                                                                                                        Function 0110D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3188490519.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_110d000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b747dd0fa185dcd320a566891ff35dcd475209447f4dcd143789a853c1db2c2e
                                                                                                                                                                                                                        • Instruction ID: 8ce5de5c1c4cc3ffe7dc9a00b47b225ee97c88aa9e3580c0f8e453e98d862a4c
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b747dd0fa185dcd320a566891ff35dcd475209447f4dcd143789a853c1db2c2e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD01F771D053409AEB1A8EA9D884767BFD8EF453A4F18C41ADD490B2C6C3B99841C6B2
                                                                                                                                                                                                                        Function 0110D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3188490519.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_110d000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 9a4f1da9315a476517cdff78929323230b42fb4e18cbed4bd101e5fa44147058
                                                                                                                                                                                                                        • Instruction ID: 0c8c1d2a63b6c032fc77088cc7377d2edc3b002a63300bbbbe18b18ee4e87920
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a4f1da9315a476517cdff78929323230b42fb4e18cbed4bd101e5fa44147058
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8DF0C271805244AEEB118E5AD884B63FFD8EB41674F18C45AED480B2C6C3B99841CAB1

                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                        Function 017CD568 Relevance: .4, Instructions: 373COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000023.00000002.3189578581.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_17c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 99fd0feac2cf90bab7e0b8f55422acfc06667b5ed39e59698eac8a61cb7090a4
                                                                                                                                                                                                                        • Instruction ID: 82cc5edfa89f872766fd1cf652ca9151081581288c974156658a67be8a41107f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99fd0feac2cf90bab7e0b8f55422acfc06667b5ed39e59698eac8a61cb7090a4
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90E16E31D1064A8FCF15DFA8C8405DEFBB2FF99310F15826AD415BB251EB70A986CB90

                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                        Execution Coverage:9.4%
                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                        Total number of Nodes:5
                                                                                                                                                                                                                        Total number of Limit Nodes:1
                                                                                                                                                                                                                        execution_graph 27364 7ff953848014 27367 7ff95384801d 27364->27367 27365 7ff9538480f6 SetProcessMitigationPolicy 27366 7ff953848152 27365->27366 27367->27365 27368 7ff953848082 27367->27368

                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                        Function 00007FF953B5687B Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 1770 7ff953b5687b-7ff953b5687d 1771 7ff953b5687f-7ff953b568b6 call 7ff953b55878 1770->1771 1772 7ff953b568ba-7ff953b568c1 1770->1772 1771->1772 1773 7ff953b568cb 1772->1773 1774 7ff953b568c3-7ff953b568ca 1772->1774 1776 7ff953b568cc-7ff953b568df 1773->1776 1774->1773 1774->1776 1781 7ff953b56950-7ff953b5696c 1776->1781 1782 7ff953b568e1-7ff953b5692d call 7ff953b55a78 call 7ff953b55a88 call 7ff953b55888 1776->1782 1786 7ff953b56aa8-7ff953b56aec 1781->1786 1787 7ff953b56972-7ff953b56a1e call 7ff953b55890 1781->1787 1782->1781 1802 7ff953b56aee-7ff953b56b0a 1786->1802 1803 7ff953b56b36-7ff953b56b3c 1786->1803 1805 7ff953b56b10-7ff953b56b2e call 7ff953b50c40 * 2 1802->1805 1806 7ff953b56f18-7ff953b56f36 call 7ff953b50c40 * 2 1802->1806 1808 7ff953b56b43-7ff953b56b46 1803->1808 1828 7ff953b56dae-7ff953b56dcc call 7ff953b50c40 * 2 1805->1828 1829 7ff953b56b34-7ff953b56b35 1805->1829 1825 7ff953b56f3c-7ff953b56f43 1806->1825 1826 7ff953b57042-7ff953b5704d 1806->1826 1812 7ff953b56b4c-7ff953b56b5a 1808->1812 1813 7ff953b56b48-7ff953b56b4a 1808->1813 1817 7ff953b56b5d-7ff953b56b72 1812->1817 1813->1817 1833 7ff953b56b78-7ff953b56b9c call 7ff953b55bb8 * 2 1817->1833 1834 7ff953b56b74-7ff953b56b76 1817->1834 1831 7ff953b56f45-7ff953b56f54 1825->1831 1832 7ff953b56f56-7ff953b56f58 1825->1832 1850 7ff953b56dce-7ff953b56dd8 1828->1850 1851 7ff953b56df6-7ff953b56e14 call 7ff953b50c40 * 2 1828->1851 1829->1803 1831->1832 1847 7ff953b56f5a 1831->1847 1836 7ff953b56f5f-7ff953b56f83 1832->1836 1837 7ff953b56b9f-7ff953b56bb4 1833->1837 1834->1837 1854 7ff953b56fcf-7ff953b56fff 1836->1854 1855 7ff953b56f85-7ff953b56fa2 1836->1855 1852 7ff953b56bba-7ff953b56bde call 7ff953b55bb8 * 2 1837->1852 1853 7ff953b56bb6-7ff953b56bb8 1837->1853 1847->1836 1857 7ff953b56dda-7ff953b56dea 1850->1857 1858 7ff953b56dec 1850->1858 1885 7ff953b56e1a-7ff953b56e25 1851->1885 1886 7ff953b56ecb-7ff953b56ed6 1851->1886 1859 7ff953b56be1-7ff953b56bf6 1852->1859 1853->1859 1887 7ff953b57005-7ff953b57014 1854->1887 1888 7ff953b57001-7ff953b57003 1854->1888 1867 7ff953b5704e-7ff953b570c7 1855->1867 1868 7ff953b56fa8-7ff953b56fcd 1855->1868 1865 7ff953b56dee-7ff953b56def 1857->1865 1858->1865 1877 7ff953b56bfc-7ff953b56c20 call 7ff953b55bb8 1859->1877 1878 7ff953b56bf8-7ff953b56bfa 1859->1878 1865->1851 1896 7ff953b57110-7ff953b57166 1867->1896 1897 7ff953b570c9-7ff953b5710d 1867->1897 1868->1854 1883 7ff953b56c23-7ff953b56c31 1877->1883 1878->1883 1900 7ff953b56c37-7ff953b56c45 1883->1900 1901 7ff953b56c33-7ff953b56c35 1883->1901 1898 7ff953b56e2b-7ff953b56e3a 1885->1898 1899 7ff953b56e27-7ff953b56e29 1885->1899 1902 7ff953b56edc-7ff953b56eeb 1886->1902 1903 7ff953b56ed8-7ff953b56eda 1886->1903 1895 7ff953b57017-7ff953b5701e 1887->1895 1888->1895 1905 7ff953b57020-7ff953b57031 1895->1905 1906 7ff953b57033-7ff953b57034 1895->1906 1922 7ff953b5716c-7ff953b57190 1896->1922 1923 7ff953b57168-7ff953b57169 1896->1923 1897->1896 1907 7ff953b56e3d-7ff953b56e71 1898->1907 1899->1907 1909 7ff953b56c48-7ff953b56c49 1900->1909 1901->1909 1911 7ff953b56eee-7ff953b56ef0 1902->1911 1903->1911 1908 7ff953b57036-7ff953b5703b 1905->1908 1906->1908 1907->1886 1921 7ff953b56e73-7ff953b56e78 1907->1921 1908->1826 1924 7ff953b56c50-7ff953b56c51 1909->1924 1911->1826 1919 7ff953b56ef6-7ff953b56f08 1911->1919 1919->1806 1927 7ff953b56e7b-7ff953b56e81 1921->1927 1940 7ff953b571c2-7ff953b571cb 1922->1940 1941 7ff953b57192-7ff953b571a1 1922->1941 1923->1922 1932 7ff953b56c58-7ff953b56c5f 1924->1932 1929 7ff953b56e83-7ff953b56e8b 1927->1929 1930 7ff953b56e94-7ff953b56e9c 1927->1930 1934 7ff953b56e9d-7ff953b56e9e 1929->1934 1935 7ff953b56e8d-7ff953b56e92 1929->1935 1930->1934 1936 7ff953b56eae-7ff953b56ec9 1930->1936 1932->1828 1938 7ff953b56c65-7ff953b56c6c 1932->1938 1939 7ff953b56ea3-7ff953b56ead call 7ff953b55bf0 1934->1939 1935->1939 1936->1886 1936->1927 1938->1828 1942 7ff953b56c72-7ff953b56c89 1938->1942 1939->1936 1945 7ff953b571a7-7ff953b571c1 1941->1945 1946 7ff953b571a3-7ff953b571a4 1941->1946 1950 7ff953b56cbe-7ff953b56cc9 1942->1950 1951 7ff953b56c8b-7ff953b56c9d 1942->1951 1946->1945 1958 7ff953b56ccf-7ff953b56cde 1950->1958 1959 7ff953b56ccb-7ff953b56ccd 1950->1959 1956 7ff953b56c9f-7ff953b56ca1 1951->1956 1957 7ff953b56ca3-7ff953b56cb1 1951->1957 1960 7ff953b56cb4-7ff953b56cb7 1956->1960 1957->1960 1961 7ff953b56ce1-7ff953b56ce3 1958->1961 1959->1961 1960->1950 1962 7ff953b56ce9-7ff953b56d00 1961->1962 1963 7ff953b56d98-7ff953b56dab 1961->1963 1962->1963 1968 7ff953b56d06-7ff953b56d23 1962->1968 1971 7ff953b56d2f 1968->1971 1972 7ff953b56d25-7ff953b56d2d 1968->1972 1973 7ff953b56d31-7ff953b56d33 1971->1973 1972->1973 1973->1963 1975 7ff953b56d35-7ff953b56d3f 1973->1975 1976 7ff953b56d4d-7ff953b56d55 1975->1976 1977 7ff953b56d41-7ff953b56d4b call 7ff953b541e8 1975->1977 1979 7ff953b56d57-7ff953b56d7c call 7ff953b559a0 1976->1979 1980 7ff953b56d83-7ff953b56d96 call 7ff953b55be0 1976->1980 1977->1828 1977->1976 1979->1980 1980->1828
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                        • Opcode ID: edd7361e829982ebd4ba22d919c086a342451d4de425d7acb2d8a3e046a39610
                                                                                                                                                                                                                        • Instruction ID: 4fc4f661b6b340d761b5566802a2b3d97ef62c324c0d2513ff67b7caa851574b
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: edd7361e829982ebd4ba22d919c086a342451d4de425d7acb2d8a3e046a39610
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38F1E931A2CE4B4BE799D7288451BB977D3EF95304F58047DD08EE76C2EDA9B8068341
                                                                                                                                                                                                                        Function 00007FF953B55C91 Relevance: 1.3, Instructions: 1259COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 0e2a54b6d148fd924c20212c57b3177193130bdd51c53c14c8dab0cd63733c44
                                                                                                                                                                                                                        • Instruction ID: 383f755677b64670e9b5c9cd7818a6c75fc8c6a46de942cb82bec81923b28d50
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e2a54b6d148fd924c20212c57b3177193130bdd51c53c14c8dab0cd63733c44
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C82E531E2CA4A4FEB99DB289455BB977D3EF95300F58007DD48EE76C2EDA9B8058340
                                                                                                                                                                                                                        Function 00007FF953B5000A Relevance: .5, Instructions: 526COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 318ce65bc172f5209bd385d1e9b7e4be3833ebb910db2cf87f630d315f1a1bfa
                                                                                                                                                                                                                        • Instruction ID: 47215fb5c66374db1d4e8a8779db5ef8d176af8f76090e0eadb336c50aca40e2
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 318ce65bc172f5209bd385d1e9b7e4be3833ebb910db2cf87f630d315f1a1bfa
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83F1E772A2CA4A4FE799DB2C8455BB53BD2FF59310F0800BDE48DDB693ED99B8058341
                                                                                                                                                                                                                        Function 00007FF953B56AD8 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1d02a540b2f0cec4b2955737b8ffd8d0dd5635601093f68d9bcd81fed2835b67
                                                                                                                                                                                                                        • Instruction ID: e97c0d0f25da1e34c7aa5205f39470fdbc4136fd2913e72fa80369180a332e78
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d02a540b2f0cec4b2955737b8ffd8d0dd5635601093f68d9bcd81fed2835b67
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABA17631E28E1B4AEBA9E6248451FBD73D3EF94344F58143DD48EE76C1EEA9B8458240
                                                                                                                                                                                                                        Function 00007FF953B5276E Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: `tS$htS$ptS
                                                                                                                                                                                                                        • API String ID: 0-2599979567
                                                                                                                                                                                                                        • Opcode ID: cba362485ca3cebdd8eb1d55e59def0a6ed0121d88989888207d326581d2200c
                                                                                                                                                                                                                        • Instruction ID: dfc22a594252370abe960b91cf869e5b6b454798014b168e9572b6bc37fb0110
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cba362485ca3cebdd8eb1d55e59def0a6ed0121d88989888207d326581d2200c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23519F32A0D9494FEF88DF189855FB537D2FF98310F0805ADD48DDB686EA65F8028B80
                                                                                                                                                                                                                        Function 00007FF953848014 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3211820427.00007FF953840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953840000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953840000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                        • String ID: I
                                                                                                                                                                                                                        • API String ID: 1088084561-3707901625
                                                                                                                                                                                                                        • Opcode ID: 73f497e6800a1368caf84d397f96b41f63b978e6135235912026f3961064957c
                                                                                                                                                                                                                        • Instruction ID: 717f41c733e480d856eca071df82e3eb3586cff87e85fe752af2b74f246625d6
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73f497e6800a1368caf84d397f96b41f63b978e6135235912026f3961064957c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC51653191CB484FDB19DFAC984AAE97BE0EF55320F04017FE048D7282DEA8B8468791
                                                                                                                                                                                                                        Function 00007FF953B5840D Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                        control_flow_graph 2133 7ff953b5840d-7ff953b58417 2134 7ff953b58459-7ff953b5846a 2133->2134 2135 7ff953b58419-7ff953b58448 2133->2135 2137 7ff953b5846c-7ff953b5847d 2134->2137 2138 7ff953b584b4-7ff953b584b6 2134->2138 2139 7ff953b585bf-7ff953b585c9 2137->2139 2140 7ff953b58483-7ff953b5849b 2137->2140 2141 7ff953b584b8-7ff953b584d2 2138->2141 2142 7ff953b584d3-7ff953b58517 2138->2142 2150 7ff953b585cb-7ff953b585d4 2139->2150 2147 7ff953b5849d-7ff953b584b2 2140->2147 2148 7ff953b58518-7ff953b58552 2140->2148 2147->2138 2163 7ff953b58554-7ff953b5855f 2148->2163 2154 7ff953b5861e-7ff953b58652 2150->2154 2155 7ff953b585d6-7ff953b585e7 2150->2155 2160 7ff953b5866a-7ff953b58678 2154->2160 2161 7ff953b58654-7ff953b5865e 2154->2161 2158 7ff953b585ff-7ff953b58608 2155->2158 2159 7ff953b585e9-7ff953b585ed 2155->2159 2164 7ff953b585ee-7ff953b585fa 2159->2164 2176 7ff953b5867f-7ff953b586a2 2160->2176 2177 7ff953b5867a call 7ff953b58430 2160->2177 2161->2160 2174 7ff953b58660-7ff953b58668 2161->2174 2166 7ff953b585ad-7ff953b585be call 7ff953b585ca 2163->2166 2167 7ff953b58561-7ff953b5857d 2163->2167 2168 7ff953b585fe 2164->2168 2167->2164 2173 7ff953b5857f-7ff953b58582 2167->2173 2168->2158 2173->2168 2178 7ff953b58584 2173->2178 2174->2176 2177->2176 2178->2150 2179 7ff953b58586-7ff953b585ab 2178->2179 2179->2166 2179->2167
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: {L_H
                                                                                                                                                                                                                        • API String ID: 0-2715681820
                                                                                                                                                                                                                        • Opcode ID: cfcc20e227cccf3a0fc64be0af52d2b4f7fb74ffa0f764cf5147dbeccd490b75
                                                                                                                                                                                                                        • Instruction ID: cd1bf000b0b1a6e65ce0201f05b1fe352cb1031036c26334c48814a680731acc
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfcc20e227cccf3a0fc64be0af52d2b4f7fb74ffa0f764cf5147dbeccd490b75
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1511532E1CD4D4BE762EF68B8516B97BD2FF94310B08017EE58CD3592EEA4B8068741
                                                                                                                                                                                                                        Function 00007FF953B582EC Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                        • Opcode ID: f403187a9a2e73cea71e1c9e259b79640fd6073e744e7ec47476a6f39ba0b61e
                                                                                                                                                                                                                        • Instruction ID: af51de278fe60d1552b61853174506aca5cf90e82c7e0dad681b562da5b3acf3
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f403187a9a2e73cea71e1c9e259b79640fd6073e744e7ec47476a6f39ba0b61e
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1431F322F1C98A0FE786DB2C54947B877D2EFA921071C45BEE08CD7297ED98B9464340
                                                                                                                                                                                                                        Function 00007FF953B525D0 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID: xtS
                                                                                                                                                                                                                        • API String ID: 0-1042708608
                                                                                                                                                                                                                        • Opcode ID: 2261520d62f2e7af4070624fafa1f6f18ac1524b4bd112864ca3419d4d1cd453
                                                                                                                                                                                                                        • Instruction ID: 07da54d673a08ddbd145ae140e14367d4cc03ebb3e70aaae00859cf3129b8ba1
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2261520d62f2e7af4070624fafa1f6f18ac1524b4bd112864ca3419d4d1cd453
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A021C971A0EA8A4FDB89DF18D855EB57BD2FF5830470805FDD08DDB282DE25A842CB40
                                                                                                                                                                                                                        Function 00007FF953B54DD5 Relevance: .4, Instructions: 401COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 3b7f468703856fe4c945a4301dd9fa1a040cc969ba70ecd453d65d335160cf9b
                                                                                                                                                                                                                        • Instruction ID: 327408c0dcbdb448de7fea2bd336b56a89e5f99ebab387a9c79633007939fbf8
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b7f468703856fe4c945a4301dd9fa1a040cc969ba70ecd453d65d335160cf9b
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8C16A32A2CE4A1FEB98EB189842EB577D2FF55310B08017ED08ED79C2FD55B9168781
                                                                                                                                                                                                                        Function 00007FF953B501E6 Relevance: .4, Instructions: 379COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: c0fdb11e1cff952315fa4272120c172ae2646fb6de77d39564217a4762fb489f
                                                                                                                                                                                                                        • Instruction ID: 4152d5f6489447e63af5356b9c82c1465b0d6da3bde3ae184c2e43130a6456d5
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0fdb11e1cff952315fa4272120c172ae2646fb6de77d39564217a4762fb489f
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01B1E671A2C94A4FEBA9EB1C9491BB537D2FF68301F1800BDE48DD7682ED95F8468740
                                                                                                                                                                                                                        Function 00007FF953B54208 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 5323fbb909ebde3525af3e08cb4bd4385caa967165f57c69dee07b7d94bba4a1
                                                                                                                                                                                                                        • Instruction ID: c108863d038f3958598bbc5510c7d93d9020cf3126a6e7e4dd12fcd841444092
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5323fbb909ebde3525af3e08cb4bd4385caa967165f57c69dee07b7d94bba4a1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9715932B2CB0E4FEB59D91C648677533D2EB99721B14013EE4CAC3692FD65F8034681
                                                                                                                                                                                                                        Function 00007FF953B53AF5 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b7ea16c7861678301d31188731f4fc997fba77603d9ab3b693fed11d5cc0c178
                                                                                                                                                                                                                        • Instruction ID: a7320727a6ec337f139ea67889f1eec76e57f8100a1a7636d72418c311cfb933
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7ea16c7861678301d31188731f4fc997fba77603d9ab3b693fed11d5cc0c178
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A761FD34618A4A8FDBDCEF58C490BA573E2FF99304B2405ADC05DCB686DA66E847C740
                                                                                                                                                                                                                        Function 00007FF953B512FA Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e15f85d812529f71ae6244f6306830b925e4a32339bda1124918b3201cf1ca76
                                                                                                                                                                                                                        • Instruction ID: 5641a46d0db67b30fd14970981e2e0667ad7e2b06b16826650192441f1f11c6f
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e15f85d812529f71ae6244f6306830b925e4a32339bda1124918b3201cf1ca76
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D310622A0DA966FD712DB6868659F87FD0EF23211B0C00BFC0C9DA4D3F94979058392
                                                                                                                                                                                                                        Function 00007FF953B585CA Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 94fa626a90381dea1475eef4a777d3a3d7afbda6e33825a8d1afc20d901569cd
                                                                                                                                                                                                                        • Instruction ID: 2f3f2d73c550db4395a9521e4f88d40092ea8dc0406bfd613b545150f117ca2a
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94fa626a90381dea1475eef4a777d3a3d7afbda6e33825a8d1afc20d901569cd
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0215C3191DE894FD352D7399850AB57BE1FF86320B0802BED48CD7592DFA8B846C741
                                                                                                                                                                                                                        Function 00007FF953B5527D Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: e8d382773ccd9745614315cc154d74aa8dec0ccaf2a32d02b1ffea2a92ff7b0a
                                                                                                                                                                                                                        • Instruction ID: ed7d24b80bf61be0a6e292458d8c2285516921edeb788936472a5afa6efb2ad7
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8d382773ccd9745614315cc154d74aa8dec0ccaf2a32d02b1ffea2a92ff7b0a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4511D572E1CA894BEF81DF545C655B87FE1FF55301F0900AED08AE3592EBA57505CB01
                                                                                                                                                                                                                        Function 00007FF953B55EA4 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: ca3937ff752ae6ffd7aac2e48a75cf5545d056db2d6b73aa09d5c4c0bdc83e19
                                                                                                                                                                                                                        • Instruction ID: 61d6e56d652a7dba91c8e40953d64343fc354d9877eed29bf483448a871508db
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca3937ff752ae6ffd7aac2e48a75cf5545d056db2d6b73aa09d5c4c0bdc83e19
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E11E122E2890B0EEB85DB184895BB423C2FF95700F5C407CC08ED75C6EE98BD058680
                                                                                                                                                                                                                        Function 00007FF953B5281C Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: fea57410eaa1c3325caeecc7bc29161c730b0c6272068bc0de8c31b6a50c1a66
                                                                                                                                                                                                                        • Instruction ID: cce43cfaace4838e985074b2638088551c4d54006ef5f4cadef56754c724ee18
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fea57410eaa1c3325caeecc7bc29161c730b0c6272068bc0de8c31b6a50c1a66
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51113721A199494FEF88EF188445FB577D2FF68300B1841BCD48DEB686DA69F8468B80
                                                                                                                                                                                                                        Function 00007FF953B52885 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 9ed09bc4fc8857341e3fe416b97a5aee3fbdb1a46ee10ce30785babe61c1715a
                                                                                                                                                                                                                        • Instruction ID: 79c4937842b228449a2d6e675deec8913344cd6faebaf1dfd776e84884162d72
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ed09bc4fc8857341e3fe416b97a5aee3fbdb1a46ee10ce30785babe61c1715a
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39114931A199494FEF88EF18C445FA577D2FF68300B0841ACD48DEB686DA69E8468B80
                                                                                                                                                                                                                        Function 00007FF953B54779 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: b1e0ce674fed689088dc1bf04bb7e93f871f044b96672488076f4334b6ed4461
                                                                                                                                                                                                                        • Instruction ID: d2d8ac7d8726d045fa94e9e4111bebc8b8aa017c490b1281e15d63fa4ebd0416
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1e0ce674fed689088dc1bf04bb7e93f871f044b96672488076f4334b6ed4461
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B11E02592DA870BFB69D22944707752BD2AF86240F5D40BEC489D68D2ECADBC918702
                                                                                                                                                                                                                        Function 00007FF953B53EB9 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 2823a09a817ea37040441339bf80168452c0a7601fdd4b0a3aa4a47dd75153f1
                                                                                                                                                                                                                        • Instruction ID: 0a389df6e18c8c7c1f52e5d02cdc28df7687d22f9fac6bec3fbf22420dc07c31
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2823a09a817ea37040441339bf80168452c0a7601fdd4b0a3aa4a47dd75153f1
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B012812A6C6490BEFC992AC38567F817D28F95120F4C01BBD88CD6682F98D68864391
                                                                                                                                                                                                                        Function 00007FF953B55F2C Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 9cf4c629c4b7508dad19cb10fa0524cd913c93efba88d4d2cf189ce38f58a80c
                                                                                                                                                                                                                        • Instruction ID: 7ea2a702b668b0d75b4833f6a2d33a3f26105b2356efe6180785ad90c63ea033
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cf4c629c4b7508dad19cb10fa0524cd913c93efba88d4d2cf189ce38f58a80c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57014434A2960759FE9DDA1450A0FB813C3AF55306F8C107DD88FEE9C7EE9CB9058211
                                                                                                                                                                                                                        Function 00007FF953B53A99 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 1552cb12278951130afd27e1305d28cbe934085ed614c01c5ca1c5ea489d2afe
                                                                                                                                                                                                                        • Instruction ID: 3b28bd1ddd144208fe9090b57aa15467c9cd3750adf375ca0cd4c59c37d1b0e0
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1552cb12278951130afd27e1305d28cbe934085ed614c01c5ca1c5ea489d2afe
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FEF0A03240D68C4FCB42DF64E4918D5BFB0EE16320B0401CBE088CB063E7219A48CB82
                                                                                                                                                                                                                        Function 00007FF953B505B1 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 6a9607556c46ef0b6c792475b2b928e5a8dbc59dbd544367ad6289bcabfdb3be
                                                                                                                                                                                                                        • Instruction ID: a6ff6b70add8e2eee3fe2eb99eb29279fb24bb8edffb5fa81947ab5aa80ac657
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a9607556c46ef0b6c792475b2b928e5a8dbc59dbd544367ad6289bcabfdb3be
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1E0D87150E3D50FDB529F349498CE13FA0EE1331030940EBE481CF4B3E5159A89C751
                                                                                                                                                                                                                        Function 00007FF953B54790 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 147b923666be1e969447bbded5aa5ab8a9bc5342b8487ac0a5f6803fb892b95c
                                                                                                                                                                                                                        • Instruction ID: 3496d630ae51eb71606ea89f0b07461c35c52818d4ec442554f627eeb5cfda55
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 147b923666be1e969447bbded5aa5ab8a9bc5342b8487ac0a5f6803fb892b95c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8E08C2592D60302FB6CA16574917BA66C29F45314F4D407ED51ED08C1ECEDBD948192
                                                                                                                                                                                                                        Function 00007FF953B5834F Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 2f2883aea01ed3bffe0a4b933b4196d51770301df595a2b5225e233dd3e6f366
                                                                                                                                                                                                                        • Instruction ID: 6e2aea809fcec3751f6a0cf84b83f63962305936d2379bd2033da6e116ad3e78
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f2883aea01ed3bffe0a4b933b4196d51770301df595a2b5225e233dd3e6f366
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CD09E13F2CC1D0BA2D9D61C34457B843C3D7E896175D05BAE44CD7299EC496D931281
                                                                                                                                                                                                                        Function 00007FF953B52924 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                        • Source File: 00000024.00000002.3223149601.00007FF953B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF953B50000, based on PE: false
                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                        • Snapshot File: hcaresult_36_2_7ff953b50000_ScreenConnect.jbxd
                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                        • Opcode ID: 2338e097a0cd48a14af61001fffcc9e228daaaa6ab1fad6bee3ef796afc8349c
                                                                                                                                                                                                                        • Instruction ID: 28247ce0143b5f3e8c3ef6282fc96b5516d9d7c331fc5c31f4fad5828ce6703e
                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2338e097a0cd48a14af61001fffcc9e228daaaa6ab1fad6bee3ef796afc8349c
                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACC09B10E395464AF64CFB644445BBD13D36F98604B58443DD10DE9586CDBD75015545