Windows Analysis Report
XCnB8SL.exe

EXE planting / hijacking vulnerabilities found

Compliance

Source: C:\Users\user\Desktop\XCnB8SL.exe

EXE: msiexec.exe

PE / OLE file has a valid certificate

Uses 32bit PE files

Source: XCnB8SL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XCnB8SL.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: XCnB8SL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: XCnB8SL.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: XCnB8SL.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: XCnB8SL.exe
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2967438103.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: XCnB8SL.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2955245651.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2954500090.0000000002532000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2953876115.0000000000AD0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: XCnB8SL.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1741747874.000000000027D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2975010268.0000000004D40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: XCnB8SL.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1725726118.00000000045B0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: XCnB8SL.exe, MSID0EA.tmp.2.dr, MSID0CA.tmp.2.dr, 60ceb8.rbs.2.dr, MSID34C.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 60ceb7.msi.2.dr, 60ceb9.msi.2.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: XCnB8SL.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2967438103.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: XCnB8SL.exe, MSIC8CB.tmp.1.dr, ScreenConnect.ClientSetup.msi.0.dr, 60ceb7.msi.2.dr, 60ceb9.msi.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.ClientService.exe, 00000007.00000002.2975010268.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2954092785.0000000000D12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2975010268.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2954092785.0000000000D12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.2967438103.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: XCnB8SL.exe

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Reads the Security eventlog

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: instance-lsc69n-relay.screenconnect.com

Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000009.00000002.2953908933.000002CA4D200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 00000009.00000003.1780504145.000002CA4D418000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000009.00000003.1780504145.000002CA4D418000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000009.00000003.1780504145.000002CA4D418000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000009.00000003.1780504145.000002CA4D44D000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.9.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ScreenConnect.ClientService.exe, 00000007.00000002.2951971861.000000000157C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000007.00000002.2951971861.000000000157C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/7
Source: ScreenConnect.ClientService.exe, 00000007.00000002.2951971861.000000000157C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/9
Source: ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.00000000022A3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002445000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002472000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002349000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.00000000020D2000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002152000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002213000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/d
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: svchost.exe, 00000009.00000002.2952754774.000002CA47CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: XCnB8SL.exe, 00000000.00000002.1713330982.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000001FE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717958300.00000000045B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717958300.00000000045B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717958300.00000000045B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: XCnB8SL.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: ScreenConnect.WindowsCredentialProvider.dll.2.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.2.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: svchost.exe, 00000009.00000003.1780504145.000002CA4D4C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000009.00000003.1780504145.000002CA4D4C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000009.00000003.1780504145.000002CA4D4C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior

System Summary

Detected potential unwanted application

Source: XCnB8SL.exe

PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe

Code function: 7_2_05D23064 CreateProcessAsUserW,

7_2_05D23064

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\60ceb7.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{26586069-DB09-5B84-A5DF-3B119579CF02}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID0CA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID0EA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID34C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\60ceb9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\60ceb9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{26586069-DB09-5B84-A5DF-3B119579CF02}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{26586069-DB09-5B84-A5DF-3B119579CF02}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{26586069-DB09-5B84-A5DF-3B119579CF02}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\azpqkdj5.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\azpqkdj5.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\w5phzrjk.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\w5phzrjk.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\xx4ec5bu.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\xx4ec5bu.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\x1jorles.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\x1jorles.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\zaaz524w.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\zaaz524w.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\55voodqo.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\55voodqo.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\djfy4ofh.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\djfy4ofh.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\12mbwazx.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\12mbwazx.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\mvkexfgn.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\mvkexfgn.newcfg	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSID0EA.tmp

Detected potential crypto function

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_056C9198	7_2_056C9198
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_056C7090	7_2_056C7090
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_056C7090	7_2_056C7090
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_056C7082	7_2_056C7082
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D233C8	7_2_05D233C8
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D233C8	7_2_05D233C8
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B417008	8_2_00007FFD9B417008
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B4110CF	8_2_00007FFD9B4110CF
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B4110D7	8_2_00007FFD9B4110D7
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B7343FD	8_2_00007FFD9B7343FD
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B72000C	8_2_00007FFD9B72000C
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B7276FA	8_2_00007FFD9B7276FA
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B730EFA	8_2_00007FFD9B730EFA
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B72B6C1	8_2_00007FFD9B72B6C1
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B726DE2	8_2_00007FFD9B726DE2
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B72951B	8_2_00007FFD9B72951B
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B7310D3	8_2_00007FFD9B7310D3

PE file contains executable resources (Code or Archives)

Source: XCnB8SL.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: XCnB8SL.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: XCnB8SL.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: XCnB8SL.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: XCnB8SL.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Sample file is different than original file name gathered from version info

Source: XCnB8SL.exe, 00000000.00000002.1737679408.00000000057BC000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1737679408.00000000057BC000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1737679408.00000000057BC000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1737679408.00000000057BC000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1735971960.0000000005440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1735971960.0000000005440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1735971960.0000000005440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1726555701.0000000003F03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000009DF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000009DF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1735848964.0000000005420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1735050480.0000000005380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1734531848.0000000005190000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1713330982.000000000362A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1713330982.000000000362A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs XCnB8SL.exe
Source: XCnB8SL.exe, 00000000.00000002.1713330982.000000000362A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenamelibwebp.dllB vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenamezlib.dll2 vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenameSfxCA.dllL vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenamewixca.dll\ vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs XCnB8SL.exe
Source: XCnB8SL.exe	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs XCnB8SL.exe

Uses 32bit PE files

Source: XCnB8SL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal63.evad.winEXE@16/64@3/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)

Source: C:\Users\user\Desktop\XCnB8SL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XCnB8SL.exe.log

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Desktop\XCnB8SL.exe

File created: C:\Users\user\AppData\Local\Temp\ScreenConnect

Source: XCnB8SL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XCnB8SL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\XCnB8SL.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\XCnB8SL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6342953 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: XCnB8SL.exe	Virustotal: Detection: 22%
Source: XCnB8SL.exe	ReversingLabs: Detection: 18%

Source: XCnB8SL.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: XCnB8SL.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)

Source: C:\Users\user\Desktop\XCnB8SL.exe

File read: C:\Users\user\Desktop\XCnB8SL.exe

Source: unknown	Process created: C:\Users\user\Desktop\XCnB8SL.exe "C:\Users\user\Desktop\XCnB8SL.exe"
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 46499482A1C987A47F631462B5FC519F C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6342953 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCF81E7E4DBCAD9001FC90A4A907F90F
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F1D3D1CC367989CF5F4FD5B0487C8313 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=8ac31f4f-82f1-4248-8c0d-ccc961cc8384&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe" "RunRole" "df00d6c5-123e-4382-ad58-82662d08eea7" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 46499482A1C987A47F631462B5FC519F C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCF81E7E4DBCAD9001FC90A4A907F90F	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F1D3D1CC367989CF5F4FD5B0487C8313 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6342953 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe" "RunRole" "df00d6c5-123e-4382-ad58-82662d08eea7" "User"	Jump to behavior

Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\XCnB8SL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\XCnB8SL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

PE / OLE file has a valid certificate

Source: XCnB8SL.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: XCnB8SL.exe

Static file information: File size 5620200 > 1048576

PE file has a big raw section

Source: XCnB8SL.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200

PE file contains a mix of data directories often seen in goodware

Source: XCnB8SL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XCnB8SL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XCnB8SL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XCnB8SL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XCnB8SL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XCnB8SL.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: XCnB8SL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: XCnB8SL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: XCnB8SL.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: XCnB8SL.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: XCnB8SL.exe
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2967438103.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: XCnB8SL.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2955245651.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2954500090.0000000002532000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2953876115.0000000000AD0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: XCnB8SL.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1741747874.000000000027D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2975010268.0000000004D40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: XCnB8SL.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1725726118.00000000045B0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: XCnB8SL.exe, MSID0EA.tmp.2.dr, MSID0CA.tmp.2.dr, 60ceb8.rbs.2.dr, MSID34C.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 60ceb7.msi.2.dr, 60ceb9.msi.2.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: XCnB8SL.exe, ScreenConnect.Windows.dll.2.dr, ScreenConnect.Windows.dll.4.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2967438103.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: XCnB8SL.exe, MSIC8CB.tmp.1.dr, ScreenConnect.ClientSetup.msi.0.dr, 60ceb7.msi.2.dr, 60ceb9.msi.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.ClientService.exe, 00000007.00000002.2975010268.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2954092785.0000000000D12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2975010268.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2954092785.0000000000D12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.2967438103.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.2964257751.00000000127B0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: XCnB8SL.exe

PE file contains a valid data directory to section mapping

Source: XCnB8SL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: XCnB8SL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: XCnB8SL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: XCnB8SL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: XCnB8SL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.Client.dll.2.dr

Static PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]

PE file contains an invalid checksum

Source: MSID0EA.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x3d8a7
Source: MSID34C.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x3d8a7
Source: MSIC8CB.tmp.1.dr	Static PE information: real checksum: 0x2f213 should be: 0x1125d0
Source: XCnB8SL.exe	Static PE information: real checksum: 0x54d1c1 should be: 0x565c97

PE file contains sections with non-standard names

Source: ScreenConnect.WindowsAuthenticationPackage.dll.2.dr	Static PE information: section name: _RDATA
Source: ScreenConnect.WindowsCredentialProvider.dll.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\XCnB8SL.exe	Code function: 0_2_02BE70B0 push eax; mov dword ptr [esp], ecx	0_2_02BE70C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_06BA7FB3 push es; ret	4_3_06BA7FC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_06BA29A1 push es; ret	4_3_06BA29B0
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_044FF6E7 push ss; retn 0004h	7_2_044FF6F2
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_044FF6B7 push ss; retn 0004h	7_2_044FF6D2
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_044FF717 push ss; retn 0004h	7_2_044FF722
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_044FF362 push es; retn 0004h	7_2_044FF372
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_056C05D1 push 00000005h; ret	7_2_056C05E0
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D271DF push eax; retn 0004h	7_2_05D271EA
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D271CF push eax; retn 0004h	7_2_05D271DA
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D271FF push eax; retn 0004h	7_2_05D2720A
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D271EF push eax; retn 0004h	7_2_05D271FA
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D27195 push eax; retn 0004h	7_2_05D2719A
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D2719F push eax; retn 0004h	7_2_05D271AA
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_05D21E70 push eax; mov dword ptr [esp], ecx	7_2_05D21E71
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_06110F81 pushad ; ret	7_2_06110F93
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Code function: 7_2_06110FE0 push esp; ret	7_2_06110FF3
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B4222ED push ebx; retf	8_2_00007FFD9B4222FA
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B42096D push ebx; retf	8_2_00007FFD9B42098A
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B4208CD push ebx; retf	8_2_00007FFD9B42098A
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B7292CC push 0000006Ch; iretd	8_2_00007FFD9B7293B4
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B728F48 pushad ; retn 5CD9h	8_2_00007FFD9B72919D
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B729355 push 0000006Ch; iretd	8_2_00007FFD9B7293B4
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B722F5A pushfd ; iretd	8_2_00007FFD9B722F5B
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B72C1A6 push ds; iretd	8_2_00007FFD9B72C22F
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Code function: 8_2_00007FFD9B72752B push ebx; iretd	8_2_00007FFD9B72756A

Persistence and Installation Behavior

Possible COM Object hijacking

Source: c:\program files (x86)\screenconnect client (78092984cb0cb00b)\screenconnect.windowscredentialprovider.dll

COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-27d7-3aa2a021a8a7}\inprocserver32

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID34C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID0EA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID34C.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID0EA.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.2.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (78092984cb0cb00b)

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: XCnB8SL.exe, 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: XCnB8SL.exe, 00000000.00000002.1735971960.0000000005440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rundll32.exe, 00000004.00000003.1717736058.0000000004731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2970209823.000000001B5B2000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2955245651.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2954500090.0000000002532000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2953876115.0000000000AD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: XCnB8SL.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.4.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\XCnB8SL.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Memory allocated: 2D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Memory allocated: 6450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XCnB8SL.exe	Memory allocated: 5C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Memory allocated: 1890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Memory allocated: 1F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Memory allocated: 1EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Memory allocated: A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A7A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe

Code function: 8_2_00007FFD9B72B654 rdtsc

8_2_00007FFD9B72B654

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\XCnB8SL.exe

Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID34C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID0EA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\XCnB8SL.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe TID: 7992	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe TID: 7256	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8176	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\XCnB8SL.exe

Thread delayed: delay time: 922337203685477

Source: svchost.exe, 00000009.00000002.2952562568.000002CA47C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2954038597.000002CA4D254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: XCnB8SL.exe, 00000000.00000002.1711124144.0000000001008000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ScreenConnect.ClientService.exe, 00000007.00000002.2975010268.0000000004D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Contains functionality for execution timing, often used to detect debuggers

Anti Debugging

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe

Code function: 8_2_00007FFD9B72B654 rdtsc

8_2_00007FFD9B72B654

Enables debug privileges

Source: C:\Users\user\Desktop\XCnB8SL.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\XCnB8SL.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\XCnB8SL.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (78092984cb0cb00b)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=8ac31f4f-82f1-4248-8c0d-ccc961cc8384&k=bgiaaackaabsu0exaagaaaeaaqdz3wp49cujwp4h5bw8x1hizbj8xqf10olccxaigzla90hkmwx1pommvdekr%2f1ydt2f%2fcesxcnjci949ntm9ws%2bw5gbyjz72k0cotu%2bcvtipts8tu7niual9hyr6mtxrzs3fwvfyqtzf8xnxff9nhwfltaz09ihyuz%2fxxo2gwvtjaynojjc2bbek8nsdoqvf2gllrcq39zqn%2bfpki7cyzjipm28zym9nafvb4kfnf9ff36n1je3i4j4bmsnjliokqsw5tlxsmw1qdr%2f%2f4kh454a2dls4m6chsnnfuofw2ddjotmpilqdaoawqlbijbke5fu5nzdwzvmkskoaqsbr%2fq%2b&c=screenconnect&c=&c=&c=&c=&c=&c=&c="

Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\XCnB8SL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe

Code function: 7_2_05D206BC CreateNamedPipeW,

7_2_05D206BC

Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe

Code function: 7_2_01894C6F RtlGetVersion,

7_2_01894C6F

Source: C:\Users\user\Desktop\XCnB8SL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies security policies related information

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Yara detected ScreenConnect Tool

Remote Access Functionality

Source: Yara match	File source: XCnB8SL.exe, type: SAMPLE
Source: Yara match	File source: 0.2.XCnB8SL.exe.5600000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ScreenConnect.WindowsClient.exe.281fa10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.ScreenConnect.WindowsClient.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XCnB8SL.exe.5600000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.XCnB8SL.exe.565db0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.XCnB8SL.exe.53c3d4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.XCnB8SL.exe.4b63d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.XCnB8SL.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1737679408.0000000005600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2955245651.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XCnB8SL.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\~DFA0FC47C05AFEE297.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFBB73873C08524CC1.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF87E3E29FED3F3CBD.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF5445F4A01F919037.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF978F1D0545D76DA5.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSID0CA.tmp, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\60ceb8.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF646022F988AFA378.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	Scheduled Task/Job	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Component Object Model Hijacking	1 Component Object Model Hijacking	1 Timestomp	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Valid Accounts	1 Valid Accounts	1 DLL Side-Loading	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Windows Service	1 Access Token Manipulation	1 DLL Search Order Hijacking	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	2 Windows Service	1 File Deletion	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	13 Process Injection	22 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Bootkit	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Rundll32	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
XCnB8SL.exe	23%	Virustotal		Browse
XCnB8SL.exe	18%	ReversingLabs	Win32.PUA.ConnectWise

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Windows\Installer\MSID0EA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID34C.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://instance-lsc69n-relay.screenconnect.com:443/7	0%	Avira URL Cloud	safe
http://instance-lsc69n-relay.screenconnect.com:443/d	0%	Avira URL Cloud	safe
http://instance-lsc69n-relay.screenconnect.com:443/9	0%	Avira URL Cloud	safe
http://instance-lsc69n-relay.screenconnect.com:443/	0%	Avira URL Cloud	safe
https://feedback.screenconnect.com/Feedback.axd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
server-ovh3183109-relay.screenconnect.com	51.195.188.103	true	false		unknown
instance-lsc69n-relay.screenconnect.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://instance-lsc69n-relay.screenconnect.com:443/7	ScreenConnect.ClientService.exe, 00000007.00000002.2951971861.000000000157C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-lsc69n-relay.screenconnect.com:443/9	ScreenConnect.ClientService.exe, 00000007.00000002.2951971861.000000000157C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717958300.00000000045B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	false		high
https://docs.rs/getrandom#nodejs-es-module-support	ScreenConnect.WindowsCredentialProvider.dll.2.dr	false		high
http://crl.ver)	svchost.exe, 00000009.00000002.2953908933.000002CA4D200000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiro.com	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.9.dr, qmgr.db.9.dr	false		high
http://www.fontbureau.com/designers	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://instance-lsc69n-relay.screenconnect.com:443/d	ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.00000000022A3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002445000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002472000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002349000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.00000000020D2000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002152000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000002213000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/news/	rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717958300.00000000045B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	false		high
http://www.goodfont.co.kr	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.9.dr, qmgr.db.9.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/releases/	rundll32.exe, 00000004.00000003.1717736058.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717958300.00000000045B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1717736058.0000000004725000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.dr	false		high
http://www.founder.com.cn/cn	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.9.dr, qmgr.db.9.dr	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000009.00000003.1780504145.000002CA4D4C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration	svchost.exe, 00000009.00000002.2952754774.000002CA47CA0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.2.dr	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XCnB8SL.exe, 00000000.00000002.1713330982.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2954884539.0000000001FE2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	ScreenConnect.WindowsClient.exe, 00000008.00000002.2974738592.000000001D0F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000009.00000003.1780504145.000002CA4D4C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	false		high
http://instance-lsc69n-relay.screenconnect.com:443/	ScreenConnect.ClientService.exe, 00000007.00000002.2951971861.000000000157C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.195.188.103	server-ovh3183109-relay.screenconnect.com	France		16276	OVHFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590620
Start date and time:	2025-01-14 11:24:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XCnB8SL.exe
Detection:	MAL
Classification:	mal63.evad.winEXE@16/64@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 76% Number of executed functions: 376 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target XCnB8SL.exe, PID 7556 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 7752 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:25:08	API Interceptor	2x Sleep call for process: svchost.exe modified
05:25:15	API Interceptor	1x Sleep call for process: ScreenConnect.ClientService.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	https://offfryfjtht767755433.webflow.io/	Get hash	malicious	Unknown	Browse	54.38.113.3
	https://tinyurl.com/ch268ddp	Get hash	malicious	Unknown	Browse	5.135.209.105
	https://urlz.fr/tJIZ	Get hash	malicious	Unknown	Browse	51.38.120.206
	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	146.59.69.202
	http://aeromorning.com	Get hash	malicious	Unknown	Browse	145.239.192.166
	trow.exe	Get hash	malicious	Unknown	Browse	178.32.116.144
	https://metafeedbackservice.com/606967319425038/form/	Get hash	malicious	Unknown	Browse	54.38.78.53
	http://welcom-trezzor-cdn.github.io/	Get hash	malicious	HTMLPhisher	Browse	91.134.10.182
	http://us-suite-trezzor-cdn.github.io/	Get hash	malicious	HTMLPhisher	Browse	91.134.10.168
	https://lttechnologies12.com/a/default/	Get hash	malicious	Unknown	Browse	54.38.209.89

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll	https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188	Get hash	malicious	ScreenConnect Tool	Browse
	E-Deposit.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-Deposit.exe	Get hash	malicious	ScreenConnect Tool	Browse
	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	NotaFiscalOnline.ClientSetup.ex#.exe	Get hash	malicious	ScreenConnect Tool	Browse
	NotaFiscalOnline.ClientSetup.ex#.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse
C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll	https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188	Get hash	malicious	ScreenConnect Tool	Browse
	E-Deposit.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-Deposit.exe	Get hash	malicious	ScreenConnect Tool	Browse
	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	NotaFiscalOnline.ClientSetup.ex#.exe	Get hash	malicious	ScreenConnect Tool	Browse
	NotaFiscalOnline.ClientSetup.ex#.exe	Get hash	malicious	ScreenConnect Tool	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse

Created / dropped Files

C:\Config.Msi\60ceb8.rbs

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	219459
Entropy (8bit):	6.584588533841364
Encrypted:	false
SSDEEP:	3072:QI9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGd:QIuH2aCGw1ST1wQLdqvd
MD5:	828FB53832F1FF2475C3E0BA2E37D2DF
SHA1:	C582B48A66BBF5424FA56F9D730ABDBD1F9496A9
SHA-256:	B4FBEAB6BC681EAD2DE3BC801E2FF23D8141D032EA540823A48BD5396A65F471
SHA-512:	19E8B4F7BDCE7AA56FA7243C3A865AF6CA977258E31DCF9110BFC20ACA1B7A28CF81EC06942C9D77A71FB42ACD7FD96848D729993CA06ABE1DC45F265F841F79
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\60ceb8.rbs, Author: Joe Security
Preview:	...@IXOS.@.....@#+.Z.@.....@.....@.....@.....@.....@......&.{26586069-DB09-5B84-A5DF-3B119579CF02}'.ScreenConnect Client (78092984cb0cb00b)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{26586069-DB09-5B84-A5DF-3B119579CF02}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (78092984cb0cb00b)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3B03205B-69C9-C7FC-94C0-2E89FF1AA279}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{55AD7324-6C8C-8821-306B-DD4B0D7D0490}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{4A48F46B-EB96-8151-8A3F-7BFFFFF17649}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{7C3C87D9-D21D-BA5E-BBB3-7CFC426824C1}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{1D8B9AB5-7721-D02B-DBA6-E7196FEDCEF2}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{8DFF9E0B-7DD1-B617-98F6-3F01885CDC9F}&.{26586069-DB09-5B84-A5DF

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\Client.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	50133
Entropy (8bit):	4.759054454534641
Encrypted:	false
SSDEEP:	1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
MD5:	D524E8E6FD04B097F0401B2B668DB303
SHA1:	9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
SHA-256:	07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
SHA-512:	E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\Client.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.586775768189165
Encrypted:	false
SSDEEP:	3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
MD5:	3724F06F3422F4E42B41E23ACB39B152
SHA1:	1220987627782D3C3397D4ABF01AC3777999E01C
SHA-256:	EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
SHA-512:	509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: E-Deposit.exe, Detection: malicious, Browse Filename: E-Deposit.exe, Detection: malicious, Browse Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..\|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=.....0...........~...%-.&~).....\|...s&...%....(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.06942231395039
Encrypted:	false
SSDEEP:	1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
MD5:	5DB908C12D6E768081BCED0E165E36F8
SHA1:	F2D3160F15CFD0989091249A61132A369E44DEA4
SHA-256:	FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
SHA-512:	8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: E-Deposit.exe, Detection: malicious, Browse Filename: E-Deposit.exe, Detection: malicious, Browse Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95512
Entropy (8bit):	6.504684691533346
Encrypted:	false
SSDEEP:	1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
MD5:	75B21D04C69128A7230A0998086B61AA
SHA1:	244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
SHA-256:	F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
SHA-512:	8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	260168
Entropy (8bit):	6.416438906122177
Encrypted:	false
SSDEEP:	3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
MD5:	5ADCB5AE1A1690BE69FD22BDF3C2DB60
SHA1:	09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
SHA-256:	A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
SHA-512:	812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61208
Entropy (8bit):	6.310126082367387
Encrypted:	false
SSDEEP:	1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
MD5:	AFA97CAF20F3608799E670E9D6253247
SHA1:	7E410FDE0CA1350AA68EF478E48274888688F8EE
SHA-256:	E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
SHA-512:	FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!......0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	602392
Entropy (8bit):	6.176232491934078
Encrypted:	false
SSDEEP:	6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
MD5:	1778204A8C3BC2B8E5E4194EDBAF7135
SHA1:	0203B65E92D2D1200DD695FE4C334955BEFBDDD3
SHA-256:	600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
SHA-512:	A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	842248
Entropy (8bit):	6.268561504485627
Encrypted:	false
SSDEEP:	12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
MD5:	BE74AB7A848A2450A06DE33D3026F59E
SHA1:	21568DCB44DF019F9FAF049D6676A829323C601E
SHA-256:	7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
SHA-512:	2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..\|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...\|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...\|..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81688
Entropy (8bit):	5.8618809599146005
Encrypted:	false
SSDEEP:	1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
MD5:	1AEE526DC110E24D1399AFFCCD452AB3
SHA1:	04DB0E8772933BC57364615D0D104DC2550BD064
SHA-256:	EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
SHA-512:	482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\system.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (474), with CRLF line terminators
Category:	dropped
Size (bytes):	964
Entropy (8bit):	5.755234815592592
Encrypted:	false
SSDEEP:	24:2dL9hK6E4dl/5/uLs1KlbR6uHxvrCUxUUvH:chh7HH5WLsU76e1jx5v
MD5:	9DD908F9448013CCCE2DFE50617BD36C
SHA1:	FDF380092CC6DC57BAF718F8892B9E8DD09B741D
SHA-256:	0D52F9B94FB7A946C484778859D64ECDBE3961C13543251656F8731889C4F665
SHA-512:	A79CFF2829B9A10DE1BF5625848FEA5D3C782E6B9657E45D8DD0FC2CDEE63838CFAD8504ABBE7802FF60919599EEFFDF24DFD58C2064CE0EBD865C9C61C06840
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=instance-lsc69n-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073552243209052
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvre:KooCEYhgYEL0In
MD5:	57478EADC2C94B13C1A935B54E755AA2
SHA1:	7F7D37AAFADDEC6A18B1AF78D7359975ABACCFB1
SHA-256:	82A24BC2977A3230B7B42DEBC884D6EC11D64543CABF8C3204D9F26987A902FB
SHA-512:	6D1D63483693442608EBC6FC0A5B28798A6D0FF1E2DB8C75FEA1982682F7AD9DFA70A2026A16CF5DC8BCBEE6157D2CBB7F4C80F54D8A56741FC625B58E6D01EC
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x1d7b03c0, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221489020053873
Encrypted:	false
SSDEEP:	1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
MD5:	069E40CF147D0ADD9AA09E35927F2258
SHA1:	BB823113BDD2C3D8B066EC574CE00EF6D9988922
SHA-256:	00B17ECAB5D5F749DE5A0EA18AB3AEDB585AF6247EA34B54A9DB281B18F90593
SHA-512:	4E133E70575728FF66934ADEF360E78E74C9CEF730A71D3821784617CD69A4D43BC77C4195834540DC071728AC3B7EDE9237A3FCBFDAD067BA79616A1E7103EC
Malicious:	false
Preview:	.{..... .......A.......X\...;...{......................0.!..........{A......}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.................................../.3.....}...........................}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0766862533088834
Encrypted:	false
SSDEEP:	3:8YeaUkfSuGjjn13a/IUkfH/AllcVO/lnlZMxZNQl:8zDUSuGj53qVUfAOewk
MD5:	5B554B0E57E41BCD15A47D59692A7F11
SHA1:	6F83BB69BC23D2D2731782137F20A63FB1EFCB77
SHA-256:	B74E6A5B142F7F6932D5D071D3BBAD82375BB56BDF3ADED98271541657054B32
SHA-512:	BDAE665E3406EA186D7EBE9375EF21C04EB785725E8BFE3B4905B8348E17DFE9A060602BD8593571F88F9790264A31AB7B2596E6408DBB06690B5D0C051FDA97
Malicious:	false
Preview:	..a......................................;...{.......}.......{A..............{A......{A..........{A].........................}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XCnB8SL.exe.log

Process:	C:\Users\user\Desktop\XCnB8SL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.36509199858051
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
MD5:	1CF2352B684EF57925D98E766BA897F2
SHA1:	6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
SHA-256:	43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
SHA-512:	9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	746
Entropy (8bit):	5.349174276064173
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
MD5:	ED994980CB1AABB953B2C8ECDC745E1F
SHA1:	9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
SHA-256:	D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
SHA-512:	61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1088392
Entropy (8bit):	7.789940577622617
Encrypted:	false
SSDEEP:	24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
MD5:	8A8767F589EA2F2C7496B63D8CCC2552
SHA1:	CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
SHA-256:	0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
SHA-512:	518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\CustomAction.config

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.977464602412109
Encrypted:	false
SSDEEP:	6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
MD5:	6F52EBEA639FD7CEFCA18D9E5272463E
SHA1:	B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
SHA-256:	7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
SHA-512:	B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.Cab.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.62694170304723
Encrypted:	false
SSDEEP:	768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
MD5:	77BE59B3DDEF06F08CAA53F0911608A5
SHA1:	A3B20667C714E88CC11E845975CD6A3D6410E700
SHA-256:	9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
SHA-512:	C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.Compression.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.340550904466943
Encrypted:	false
SSDEEP:	384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
MD5:	4717BCC62EB45D12FFBED3A35BA20E25
SHA1:	DA6324A2965C93B70FC9783A44F869A934A9CAF7
SHA-256:	E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
SHA-512:	BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.657268358041957
Encrypted:	false
SSDEEP:	768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
MD5:	A921A2B83B98F02D003D9139FA6BA3D8
SHA1:	33D67E11AD96F148FD1BFD4497B4A764D6365867
SHA-256:	548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
SHA-512:	E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775360792482692
Encrypted:	false
SSDEEP:	3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
MD5:	5EF88919012E4A3D8A1E2955DC8C8D81
SHA1:	C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
SHA-256:	3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
SHA-512:	4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!\|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Core.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.034211651049746
Encrypted:	false
SSDEEP:	12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
MD5:	14E7489FFEBBB5A2EA500F796D881AD9
SHA1:	0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
SHA-256:	A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
SHA-512:	2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.InstallerActions.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.273875899788767
Encrypted:	false
SSDEEP:	192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
MD5:	73A24164D8408254B77F3A2C57A22AB4
SHA1:	EA0215721F66A93D67019D11C4E588A547CC2AD6
SHA-256:	D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
SHA-512:	650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....^.(.......&...%...}....:.(......}....:.(......}....:.(......}........0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(......{....s .....-..o!.......{....r}..p.o

C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp-\ScreenConnect.Windows.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	6.639085961200334
Encrypted:	false
SSDEEP:	24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
MD5:	9AD3964BA3AD24C42C567E47F88C82B2
SHA1:	6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
SHA-256:	84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
SHA-512:	CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..\|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...\|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi

Process:	C:\Users\user\Desktop\XCnB8SL.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {26586069-DB09-5B84-A5DF-3B119579CF02}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	8241152
Entropy (8bit):	7.950625352101403
Encrypted:	false
SSDEEP:	98304:9wJ4t1h0cG5FGJRPxow8OswJ4t1h0cG5hwJ4t1h0cG5XwJ4t1h0cG5:aWh0cGwbWh0cGkWh0cGeWh0cG
MD5:	6B70BC0DF4BA3F20D5BE63B0397C5683
SHA1:	CF8ED2A4EE48A2B9746DA1F27A5227C406C2BDF7
SHA-256:	4B6BDD4D93A9288216BA83D840D66ABA82F82B96E4911C06917169A742EA84F0
SHA-512:	BF486445AEFE60E3FFF7E07ADCE24A1F3AEEFA3F6B2334AEB3319BD7424123679E2EA76A5C7C18497FC3121F758EC02EC0379C3A53BB7B92AE32B435D2E3663A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\60ceb7.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {26586069-DB09-5B84-A5DF-3B119579CF02}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	8241152
Entropy (8bit):	7.950625352101403
Encrypted:	false
SSDEEP:	98304:9wJ4t1h0cG5FGJRPxow8OswJ4t1h0cG5hwJ4t1h0cG5XwJ4t1h0cG5:aWh0cGwbWh0cGkWh0cGeWh0cG
MD5:	6B70BC0DF4BA3F20D5BE63B0397C5683
SHA1:	CF8ED2A4EE48A2B9746DA1F27A5227C406C2BDF7
SHA-256:	4B6BDD4D93A9288216BA83D840D66ABA82F82B96E4911C06917169A742EA84F0
SHA-512:	BF486445AEFE60E3FFF7E07ADCE24A1F3AEEFA3F6B2334AEB3319BD7424123679E2EA76A5C7C18497FC3121F758EC02EC0379C3A53BB7B92AE32B435D2E3663A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\60ceb9.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {26586069-DB09-5B84-A5DF-3B119579CF02}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	8241152
Entropy (8bit):	7.950625352101403
Encrypted:	false
SSDEEP:	98304:9wJ4t1h0cG5FGJRPxow8OswJ4t1h0cG5hwJ4t1h0cG5XwJ4t1h0cG5:aWh0cGwbWh0cGkWh0cGeWh0cG
MD5:	6B70BC0DF4BA3F20D5BE63B0397C5683
SHA1:	CF8ED2A4EE48A2B9746DA1F27A5227C406C2BDF7
SHA-256:	4B6BDD4D93A9288216BA83D840D66ABA82F82B96E4911C06917169A742EA84F0
SHA-512:	BF486445AEFE60E3FFF7E07ADCE24A1F3AEEFA3F6B2334AEB3319BD7424123679E2EA76A5C7C18497FC3121F758EC02EC0379C3A53BB7B92AE32B435D2E3663A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID0CA.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	423534
Entropy (8bit):	6.57843434559028
Encrypted:	false
SSDEEP:	6144:kuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvB:kuH2anwohwQUv5uH2anwohwQUvB
MD5:	42DD49A682917CA83C0750E8FD6C1AF2
SHA1:	12683C25BC45F8229C351B2FF451C8B5AF775206
SHA-256:	6FA28FF52D830785AC4E12BCCC10A29AE478BE0A73959FA1B77AF0DEE06B9EDF
SHA-512:	E301D10BFAE9913B44F27E8C59F7DE3EAA35048825E8D852E1168F3B1F824B2B16A9744AA407E67FB166715DF869E22A4BE811B24D663A272AB240170E4DA0D9
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSID0CA.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@#+.Z.@.....@.....@.....@.....@.....@......&.{26586069-DB09-5B84-A5DF-3B119579CF02}'.ScreenConnect Client (78092984cb0cb00b)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{26586069-DB09-5B84-A5DF-3B119579CF02}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (78092984cb0cb00b)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3B03205B-69C9-C7FC-94C0-2E89FF1AA279}^.C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{55AD7324-6C8C-8821-306B-DD4B0D7D0490}f.C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{4A48F46B-EB96-8151-8A3F-7BFFFFF17649}c.C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileMa

C:\Windows\Installer\MSID0EA.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID34C.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{26586069-DB09-5B84-A5DF-3B119579CF02}

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1730115062105408
Encrypted:	false
SSDEEP:	12:JSbX72FjispAGiLIlHVRpIh/7777777777777777777777777vDHFW/ju+kTI+73:JPpQI5wOS49F
MD5:	B7BAEC7C4A07DA38ED945DBF88AB5508
SHA1:	7A8BA1258D4973B05DB7A4EE8AC3446BBFDDA0B0
SHA-256:	CD1B6CAE1CD6F3CF6DA093922D61A8280E79ECE609E333053180BE8A029B26AB
SHA-512:	50290ED1C69B45FD4CBAA595938B47A38840FF61403FD66C885EA1D950E5D8E9C87547CF3AB5E180CF40AFC09EF978B2AFFE79975C60320E0CCD7544970664A5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.8214642910169776
Encrypted:	false
SSDEEP:	48:/8Ph1uRc06WXzunT5D39qpNBVtqcq56AduvlSiw3dSSk63hR+U/FfCg5nUjQHIFb:+h11znT9MVwpofCdSSxhE0fCg5UjeZ
MD5:	0855ABB8B085631BCD6C91C6236E855D
SHA1:	CDDB14D40E2D7DB6406C051D899A2AC639748965
SHA-256:	017874B8DEAFF0BFB9F39F83F952A41841B307A914EA26F252CF6759673BDF3B
SHA-512:	26C949B270574FB9E465A18897C9F588F10038FED60B47CC86E16492AAF68A9DF54DE1A9122FF2E9E1766C5D07DCC073B6D02D8E1B19697799BE0A92462CCED6
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{26586069-DB09-5B84-A5DF-3B119579CF02}\DefaultIcon

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
Category:	dropped
Size (bytes):	435
Entropy (8bit):	5.289734780210945
Encrypted:	false
SSDEEP:	12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
MD5:	F34D51C3C14D1B4840AE9FF6B70B5D2F
SHA1:	C761D3EF26929F173CEB2F8E01C6748EE2249A8A
SHA-256:	0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
SHA-512:	D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
Malicious:	false
Preview:	..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375171107220839
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauq:zTtbmkExhMJCIpErb
MD5:	23C4D8A4BE0637BC774AA44487C4D024
SHA1:	BECD2AEFA3D552B7B6185C9B0633BDBB5CC884B2
SHA-256:	DA4EE6D5C2942A076140D4DC494CFF8C14B26A984BA18031E057CBDBDCCD0F73
SHA-512:	57F9FF8D1C1D69AC3B1CA23AFD825961CEEF12FE981212B5627145E1EAA8FF97EFA48BD5C77C025DADC28294B314C3173725194B9D0C13A4BE7A9271EBE3E488
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\12mbwazx.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.022931707880884
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSMse/vXbAa3xT:2dL9hK6E46YPRHfvH
MD5:	12258DF1E7F1BB9EAD2209F9EE4304A2
SHA1:	0D4488FC9ECC74F801E41399DC4A2B274B871C8A
SHA-256:	293AC7FCC8B5EA0F898677B1A5FBBDDD6975BCB003B1C4F4FE0AF99056AEB9D8
SHA-512:	D225390B086D5B67A1F91DC8BB6D14F5FB76D577392BC6C17BBCC4B23E1BA810E3E30F7979660D507D7515B8635BC068573BA714BA84EEB5E569FB61888AF1E8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a26%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\55voodqo.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.021812012099597
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSpv/vXbAa3xT:2dL9hK6E46YPRHsvH
MD5:	6A8FFDE57778D0378E9B687862CBF1F8
SHA1:	251F35EA586804FC2D69952AE93EA56D973655AB
SHA-256:	2991A7524890186013CCC10FAA5144AA7023B64C7F6C74E4A2BF9296F41C0472
SHA-512:	976764C44F5FFBFBFBAAD87E07F258B6B2C5D7089A865B9B2A29D038D43CEEEADB4441AD4BB15587D3B92172EC0766B35DA5C4111EF90FC561A69C2FC812DBFE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a25%3a57</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\azpqkdj5.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.020627811405475
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS//vXbAa3xT:2dL9hK6E46YPRH+vH
MD5:	02FFE88BBAC9831DFB789A8707DA3C94
SHA1:	23FA36EE0454F3BEF1550BEE1E3D074020B22714
SHA-256:	5600EC373CC7BAF59774B90CD4D8050FB1D9C70A86D7CFF6C7C84C547EC8A3D3
SHA-512:	A481CD9D7E639E0F1BFFFE0D035611172411C63BC4EC7C2AFF38C8DA7A6AE325D2BFF26F3E0FC4359693E70FC590275C3DBA6DA9DBDC394E113A3A59D8BEC088
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a25%3a06</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\djfy4ofh.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.02258549863236
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSMlQv/vXbAa3xT:2dL9hK6E46YPRH7GvH
MD5:	0B15F429728A8F2D315BAD26D6DD8751
SHA1:	6CC838B53122A5A6890C9B83CAD6A09134CA6414
SHA-256:	99C6AD3903A5B8490B3222B6670FEB7C1A3F3D7ADD1E54750EAD1AB58042991E
SHA-512:	68DC8B3EB292EF7B9A9A3190CC9F68B66E3E3B762A9F9BA0CB0EAB8E69405F9BF1FA55F4B61E91E96607721899DBEF2E4EE5D61C39BF2D7BCA172FA5103FC89B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a26%3a07</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\mvkexfgn.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	585
Entropy (8bit):	5.021812012099597
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSM7v/vXbAa3xT:2dL9hK6E46YPRH53vH
MD5:	DCB226B8EDBCE9ACF12BA05D416602D9
SHA1:	83B3795E0F34D009E85B2122C44B6204CEEA4EB7
SHA-256:	8E8B8EFFC085D5E28230B2BE83141CF9AA1ADDA0DDDDF380AD6425B08EFCF182
SHA-512:	D0C71E0F905797180A3C133D6BED325EE3099E9FD710A1EB24A9025E490D3A18A3E005035FC2F0F40C5F62BC879DD9514C333D6292903E3D62D508B22E4C825A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a26%3a55</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\user.config (copy)

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.020627811405475
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS//vXbAa3xT:2dL9hK6E46YPRH+vH
MD5:	02FFE88BBAC9831DFB789A8707DA3C94
SHA1:	23FA36EE0454F3BEF1550BEE1E3D074020B22714
SHA-256:	5600EC373CC7BAF59774B90CD4D8050FB1D9C70A86D7CFF6C7C84C547EC8A3D3
SHA-512:	A481CD9D7E639E0F1BFFFE0D035611172411C63BC4EC7C2AFF38C8DA7A6AE325D2BFF26F3E0FC4359693E70FC590275C3DBA6DA9DBDC394E113A3A59D8BEC088
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a25%3a06</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\w5phzrjk.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.019166695213556
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSIm/vXbAa3xT:2dL9hK6E46YPRHMvH
MD5:	E3E697041E31BC9357751BE8E0CA82FD
SHA1:	C15B2AEF61D84345B85739FC6DE2E89F09312718
SHA-256:	70E5C15A6F5553D8BAA751734D46800A22FE039C41C01704CDAC34E33695D54A
SHA-512:	346D18C715F1AB93043829A3F778EE01F6EA16A32D6E01285E1AC1666CFCF23FBB66B39573B43628B55FB037C06A7A791A1E6CE4EAC97FDD91214351437EDDB2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a25%3a08</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\x1jorles.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.018504202811171
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSKXQv/vXbAa3xT:2dL9hK6E46YPRHPA3vH
MD5:	B45451D3C220F10C2742D21DB8933CB8
SHA1:	5E56491EA2171E0B08DD6B829377D025F9FCBB5B
SHA-256:	D266696D417E558AFB86FDBEA7FF5B8399AC42C19D71BAF43A962D035B174424
SHA-512:	4280FB472E8DDC365A75333696D095872F8575C2118F854CD160F92594E1ACF78E87B65826F959A2D973B1C3B6E6C09E3914092AE054D3161FF60BB3D245D4E9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a25%3a15</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\xx4ec5bu.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.017320002117049
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS+w/vXbAa3xT:2dL9hK6E46YPRHCvH
MD5:	6C1DEA5F1FE0B4459952C1BF56203E41
SHA1:	BBE6D388FB60C7964F203828FC010E2DCDE08BEA
SHA-256:	A8F55C23D5B389DB21FF68831319F75F8DD33F62B65A2993F90E0038B801C6D2
SHA-512:	272952E9BBDA7FFED11E22D26C8EF4081D82273AB4EDF959665BA6921751A08DF5392C986185ECAA6924E810B465251B47FC4BFCC1189A34FAEBC899519F57DD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a25%3a11</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\zaaz524w.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.018257175597078
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS45/vXbAa3xT:2dL9hK6E46YPRH9vH
MD5:	14ABAA457D550B377C761AB5205D1C76
SHA1:	46728EEDD7718ACD1BE9710D635629EF8852DB8F
SHA-256:	0AE6B864AA978D328960BBB5659A970199EEC9299462F72C5CE70221D840D2CA
SHA-512:	B451A326599C48F7BB6A1B254BC2BBEEC615D102A3B4CEB47E29BEC1D1C85BB630AF583E5B0ECA8DA7A1C7BBDD45D246E5D87C3A676C24D48C424F48E7B71DF7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a25%3a50</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\Temp\~DF14F0925F23F69231.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2E9CFCF805F4A9A9.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF455C73E727402ABF.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5445F4A01F919037.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.435250196969495
Encrypted:	false
SSDEEP:	48:MaNu1vh8FXzNT5aUp939qpNBVtqcq56AduvlSiw3dSSk63hR+U/FfCg5nUjQHIFb:vNPzToe9MVwpofCdSSxhE0fCg5UjeZ
MD5:	01F186C41AF7F7A9396369AB89D97FFD
SHA1:	49805DDD067BD40464BB4D6E0B451004F6B76D38
SHA-256:	E4FDC994C91D0DC26AE54D2226A4C93D3D62826D14A3B1494B227BB5618B0191
SHA-512:	EA9C995DEE52EFAD3B21481922E8C2B965A34ACFB94F86BEFC34A3CC16C5627682CB5356D5E915DF9A424851904FA4E6053D3DF930EDE416BBCC1B25FDB3F2C2
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF5445F4A01F919037.TMP, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF646022F988AFA378.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.435250196969495
Encrypted:	false
SSDEEP:	48:MaNu1vh8FXzNT5aUp939qpNBVtqcq56AduvlSiw3dSSk63hR+U/FfCg5nUjQHIFb:vNPzToe9MVwpofCdSSxhE0fCg5UjeZ
MD5:	01F186C41AF7F7A9396369AB89D97FFD
SHA1:	49805DDD067BD40464BB4D6E0B451004F6B76D38
SHA-256:	E4FDC994C91D0DC26AE54D2226A4C93D3D62826D14A3B1494B227BB5618B0191
SHA-512:	EA9C995DEE52EFAD3B21481922E8C2B965A34ACFB94F86BEFC34A3CC16C5627682CB5356D5E915DF9A424851904FA4E6053D3DF930EDE416BBCC1B25FDB3F2C2
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF646022F988AFA378.TMP, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF71EB20F054887020.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07772108010182531
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOmH/juWfkTV69QASKChiVky6l51:2F0i8n0itFzDHFW/ju+kTI+7r
MD5:	604F41315F25EA50492C617E793C924F
SHA1:	5BECB03E704B583D809B3F82EF7621DA25F5FA78
SHA-256:	65BAD11E0E9EEF6D9B782EA1B6A0937313F07DCF1E82A551344D71B449D71EBA
SHA-512:	DEE6737444FBA3DD7BE7823344F5D377699741665106F28BDA2B6068ECAF3C5A6F8D77B260F7B5FA36B83EC012F6BB249BC87276747E6EC9D2923C2AB497CF17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF87E3E29FED3F3CBD.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.8214642910169776
Encrypted:	false
SSDEEP:	48:/8Ph1uRc06WXzunT5D39qpNBVtqcq56AduvlSiw3dSSk63hR+U/FfCg5nUjQHIFb:+h11znT9MVwpofCdSSxhE0fCg5UjeZ
MD5:	0855ABB8B085631BCD6C91C6236E855D
SHA1:	CDDB14D40E2D7DB6406C051D899A2AC639748965
SHA-256:	017874B8DEAFF0BFB9F39F83F952A41841B307A914EA26F252CF6759673BDF3B
SHA-512:	26C949B270574FB9E465A18897C9F588F10038FED60B47CC86E16492AAF68A9DF54DE1A9122FF2E9E1766C5D07DCC073B6D02D8E1B19697799BE0A92462CCED6
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF87E3E29FED3F3CBD.TMP, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF91DEB467C834DEA8.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF978F1D0545D76DA5.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.435250196969495
Encrypted:	false
SSDEEP:	48:MaNu1vh8FXzNT5aUp939qpNBVtqcq56AduvlSiw3dSSk63hR+U/FfCg5nUjQHIFb:vNPzToe9MVwpofCdSSxhE0fCg5UjeZ
MD5:	01F186C41AF7F7A9396369AB89D97FFD
SHA1:	49805DDD067BD40464BB4D6E0B451004F6B76D38
SHA-256:	E4FDC994C91D0DC26AE54D2226A4C93D3D62826D14A3B1494B227BB5618B0191
SHA-512:	EA9C995DEE52EFAD3B21481922E8C2B965A34ACFB94F86BEFC34A3CC16C5627682CB5356D5E915DF9A424851904FA4E6053D3DF930EDE416BBCC1B25FDB3F2C2
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF978F1D0545D76DA5.TMP, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA0FC47C05AFEE297.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.8214642910169776
Encrypted:	false
SSDEEP:	48:/8Ph1uRc06WXzunT5D39qpNBVtqcq56AduvlSiw3dSSk63hR+U/FfCg5nUjQHIFb:+h11znT9MVwpofCdSSxhE0fCg5UjeZ
MD5:	0855ABB8B085631BCD6C91C6236E855D
SHA1:	CDDB14D40E2D7DB6406C051D899A2AC639748965
SHA-256:	017874B8DEAFF0BFB9F39F83F952A41841B307A914EA26F252CF6759673BDF3B
SHA-512:	26C949B270574FB9E465A18897C9F588F10038FED60B47CC86E16492AAF68A9DF54DE1A9122FF2E9E1766C5D07DCC073B6D02D8E1B19697799BE0A92462CCED6
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFA0FC47C05AFEE297.TMP, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBB73873C08524CC1.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.24256497124801435
Encrypted:	false
SSDEEP:	48:pvKkDDBAduvlS3qcq56AduvlSiw3dSSk63hR+U/FfCg5nUjQHIFho+rhVQ9qpNW:RLxpofCdSSxhE0fCg5UjBVW
MD5:	1FC2BC9110542098311FE6B3D0F24BC6
SHA1:	331C11E5C36BB0FACEE1DD37E24AF285675C55AE
SHA-256:	522384EEF75C844144E078BC6734EA06BCFAB681C5D0EA1743969C77A8F1ECE8
SHA-512:	79E3469E01E220EB4051276655928D9CE960A0C88432C45802E45458619FA722E1727A0DC3815C4E741DFB663D5721F2DA28BB15E6528F6D5EB3719681DA35AA
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFBB73873C08524CC1.TMP, Author: Joe Security
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD464E4C785549617.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.429445592604749
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	XCnB8SL.exe
File size:	5'620'200 bytes
MD5:	775ef50f591afeede47eaafe8374ef2c
SHA1:	7feb49273c10fddb392c64b72649556a09f82175
SHA256:	03643b6b2ee2967f0fa11d123fbdaf71109eec1c3aa771f5789fda09ef2500af
SHA512:	281bc79539a8d72bb43e55372f4fa734f9b8395cf987438f8a8c5ac70f6912d0bbfd04ad826995947e71abdeb15e11ff027f767e670dc50e1a0e6978de3f506f
SSDEEP:	49152:0EEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:9Es6efPNwJ4t1h0cG5FGJRPxow8O
TLSH:	0946E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014ad
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9771ee6344923fa220489ab01239bdfd

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 01:00:00 16/08/2025 00:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007FBB2CC0785Ah
jmp 00007FBB2CC0730Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040D040h]
push dword ptr [ebp+08h]
call dword ptr [0040D03Ch]
push C0000409h
call dword ptr [0040D044h]
push eax
call dword ptr [0040D048h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040D04Ch]
test eax, eax
je 00007FBB2CC07497h
push 00000002h
pop ecx
int 29h
mov dword ptr [004148D8h], eax
mov dword ptr [004148D4h], ecx
mov dword ptr [004148D0h], edx
mov dword ptr [004148CCh], ebx
mov dword ptr [004148C8h], esi
mov dword ptr [004148C4h], edi
mov word ptr [004148F0h], ss
mov word ptr [004148E4h], cs
mov word ptr [004148C0h], ds
mov word ptr [004148BCh], es
mov word ptr [004148B8h], fs
mov word ptr [004148B4h], gs
pushfd
pop dword ptr [004148E8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004148DCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004148E0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004148ECh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00414828h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x129c4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x533074	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x546200	0x15fe8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54a000	0xea8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f20	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11e60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb1af	0xb200	d9fa6da0baf4b869720be833223490cb	False	0.6123156601123596	data	6.592039633797327	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x6078	0x6200	8b45a1035c0de72f910a75db7749f735	False	0.41549744897959184	data	4.786621464556291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x11e4	0x800	1f4cc86b6735a74429c9d1feb93e2871	False	0.18310546875	data	2.265083745848167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0x533074	0x533200	d813d73373778ed5b0a4b71b252379eb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54a000	0xea8	0x1000	a93b0f39998e1e69e5944da8c5ff06b1	False	0.72265625	data	6.301490309336801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
FILES	0x163d4	0x86000	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.3962220149253731
FILES	0x9c3d4	0x1a4600	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.5111589431762695
FILES	0x2409d4	0x1ac00	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.4415066442757009
FILES	0x25b5d4	0x2ec318	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.9810924530029297
FILES	0x5478ec	0x1600	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.3908025568181818
RT_MANIFEST	0x548eec	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
mscoree.dll	CorBindToRuntimeEx
KERNEL32.dll	GetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
OLEAUT32.dll	VariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:25:07.619970083 CET	49731	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:07.620032072 CET	443	49731	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:07.620112896 CET	49731	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:08.182048082 CET	49731	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:08.182090044 CET	443	49731	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:08.182607889 CET	443	49731	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:10.325102091 CET	49733	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:10.325148106 CET	443	49733	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:10.325222969 CET	49733	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:10.330344915 CET	49733	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:10.330367088 CET	443	49733	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:10.330424070 CET	443	49733	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:12.960361004 CET	49736	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:12.960412979 CET	443	49736	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:12.960624933 CET	49736	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:12.962395906 CET	49736	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:12.962414026 CET	443	49736	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:12.962456942 CET	443	49736	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:16.904747009 CET	49740	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:16.904778957 CET	443	49740	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:16.904848099 CET	49740	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:16.906989098 CET	49740	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:16.906996965 CET	443	49740	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:16.907032967 CET	443	49740	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:22.199337959 CET	49746	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:22.199387074 CET	443	49746	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:22.199785948 CET	49746	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:22.207242012 CET	49746	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:22.207254887 CET	443	49746	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:22.207329035 CET	443	49746	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:29.085851908 CET	49747	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:29.085910082 CET	443	49747	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:29.085994959 CET	49747	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:29.088176966 CET	49747	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:29.088196993 CET	443	49747	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:29.088251114 CET	443	49747	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:39.326447010 CET	49748	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:39.326513052 CET	443	49748	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:39.326632977 CET	49748	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:39.328553915 CET	49748	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:39.328588009 CET	443	49748	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:39.328641891 CET	443	49748	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:57.752973080 CET	49750	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:57.753066063 CET	443	49750	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:57.753308058 CET	49750	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:57.756211042 CET	49750	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:25:57.756257057 CET	443	49750	51.195.188.103	192.168.2.4
Jan 14, 2025 11:25:57.756320000 CET	443	49750	51.195.188.103	192.168.2.4
Jan 14, 2025 11:26:27.098412991 CET	49937	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:26:27.098500967 CET	443	49937	51.195.188.103	192.168.2.4
Jan 14, 2025 11:26:27.098591089 CET	49937	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:26:27.101655006 CET	49937	443	192.168.2.4	51.195.188.103
Jan 14, 2025 11:26:27.101689100 CET	443	49937	51.195.188.103	192.168.2.4
Jan 14, 2025 11:26:27.101756096 CET	443	49937	51.195.188.103	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:25:07.552186012 CET	54666	53	192.168.2.4	1.1.1.1
Jan 14, 2025 11:25:07.575908899 CET	53	54666	1.1.1.1	192.168.2.4
Jan 14, 2025 11:25:39.292921066 CET	62481	53	192.168.2.4	1.1.1.1
Jan 14, 2025 11:25:39.316541910 CET	53	62481	1.1.1.1	192.168.2.4
Jan 14, 2025 11:26:27.046205997 CET	49943	53	192.168.2.4	1.1.1.1
Jan 14, 2025 11:26:27.072235107 CET	53	49943	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:25:07.552186012 CET	192.168.2.4	1.1.1.1	0xb511	Standard query (0)	instance-lsc69n-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:25:39.292921066 CET	192.168.2.4	1.1.1.1	0x404e	Standard query (0)	instance-lsc69n-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:26:27.046205997 CET	192.168.2.4	1.1.1.1	0x855c	Standard query (0)	instance-lsc69n-relay.screenconnect.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:25:07.575908899 CET	1.1.1.1	192.168.2.4	0xb511	No error (0)	instance-lsc69n-relay.screenconnect.com	server-ovh3183109-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:25:07.575908899 CET	1.1.1.1	192.168.2.4	0xb511	No error (0)	server-ovh3183109-relay.screenconnect.com		51.195.188.103	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:25:39.316541910 CET	1.1.1.1	192.168.2.4	0x404e	No error (0)	instance-lsc69n-relay.screenconnect.com	server-ovh3183109-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:25:39.316541910 CET	1.1.1.1	192.168.2.4	0x404e	No error (0)	server-ovh3183109-relay.screenconnect.com		51.195.188.103	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:26:27.072235107 CET	1.1.1.1	192.168.2.4	0x855c	No error (0)	instance-lsc69n-relay.screenconnect.com	server-ovh3183109-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:26:27.072235107 CET	1.1.1.1	192.168.2.4	0x855c	No error (0)	server-ovh3183109-relay.screenconnect.com		51.195.188.103	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:25:00
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\XCnB8SL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XCnB8SL.exe"
Imagebase:	0x4a0000
File size:	5'620'200 bytes
MD5 hash:	775EF50F591AFEEDE47EAAFE8374EF2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1737679408.0000000005600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1701353573.00000000004B6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	05:25:01
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	05:25:01
Start date:	14/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff60d750000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	05:25:02
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 46499482A1C987A47F631462B5FC519F C
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	05:25:02
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC8CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6342953 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Imagebase:	0x960000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	05:25:04
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding FCF81E7E4DBCAD9001FC90A4A907F90F
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	05:25:04
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding F1D3D1CC367989CF5F4FD5B0487C8313 E Global\MSI0000
Imagebase:	0x1c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	05:25:04
Start date:	14/01/2025
Path:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=8ac31f4f-82f1-4248-8c0d-ccc961cc8384&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c="
Imagebase:	0x270000
File size:	95'512 bytes
MD5 hash:	75B21D04C69128A7230A0998086B61AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	8
Start time:	05:25:06
Start date:	14/01/2025
Path:	C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe" "RunRole" "df00d6c5-123e-4382-ad58-82662d08eea7" "User"
Imagebase:	0x3d0000
File size:	602'392 bytes
MD5 hash:	1778204A8C3BC2B8E5E4194EDBAF7135
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000002.2955245651.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000000.1759000229.00000000003D2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	9
Start time:	05:25:07
Start date:	14/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false