Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XCnB8SL.exe

Overview

General Information

Sample name:XCnB8SL.exe
Analysis ID:1590620
MD5:775ef50f591afeede47eaafe8374ef2c
SHA1:7feb49273c10fddb392c64b72649556a09f82175
SHA256:03643b6b2ee2967f0fa11d123fbdaf71109eec1c3aa771f5789fda09ef2500af
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

ScreenConnect Tool
Score:63
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to hide user accounts
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • XCnB8SL.exe (PID: 5536 cmdline: "C:\Users\user\Desktop\XCnB8SL.exe" MD5: 775EF50F591AFEEDE47EAAFE8374EF2C)
    • msiexec.exe (PID: 5996 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 5036 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6540 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1ABC939BAD5B2091C3DFE6B16FAB8E93 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7188 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA26B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3908312 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7276 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 60FC33D3A154F12012949CE4C1F7B68A MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7320 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F82F1306E1EE0DF6A4C6CD3F8461BBF6 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 7356 cmdline: "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=bfc0cff7-743e-4d66-af30-d5a2472baaec&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c=" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 7420 cmdline: "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe" "RunRole" "63470ffb-1a11-4f64-bd4a-bf35c009e72e" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • svchost.exe (PID: 7560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
XCnB8SL.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Temp\~DF073FA8E1DD4A9C2C.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DF13029D5D967EF923.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DF9705A8FCA773DFDD.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Temp\~DFE0E0B9C080B2419C.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000000.00000002.2071871270.0000000005D00000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000000.00000002.2074796983.0000000007B51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000009.00000002.3908078879.0000000003001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 3 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        9.2.ScreenConnect.WindowsClient.exe.307fa10.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          9.0.ScreenConnect.WindowsClient.exe.d10000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            0.2.XCnB8SL.exe.5d00000.11.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              0.2.XCnB8SL.exe.5d00000.11.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                0.0.XCnB8SL.exe.a8c3d4.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 3 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=bfc0cff7-743e-4d66-af30-d5a2472baaec&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=bfc0cff7-743e-4d66-af30-d5a2472baaec&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=bfc0cff7-743e-4d66-af30-d5a2472baaec&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c=", ProcessId: 7356, ProcessName: ScreenConnect.ClientService.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (78092984cb0cb00b) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 5036, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-27D7-3AA2A021A8A7}\(Default)
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7560, ProcessName: svchost.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: XCnB8SL.exeVirustotal: Detection: 22%Perma Link
                                  Source: XCnB8SL.exeReversingLabs: Detection: 18%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.0% probability
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_04100F48 CryptProtectData,8_2_04100F48
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_04101733 CryptProtectData,8_2_04101733
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: XCnB8SL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: XCnB8SL.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: XCnB8SL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: XCnB8SL.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: XCnB8SL.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: XCnB8SL.exe
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.PDBfo source: ScreenConnect.ClientService.exe, 00000008.00000002.3925807989.00000000048C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3918898605.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: XCnB8SL.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906097681.0000000001500000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3908078879.0000000003001000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3906975623.0000000002E82000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: XCnB8SL.exe
                                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2083274157.00000000003DD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: XCnB8SL.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2064470741.0000000004910000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.PDB[ source: ScreenConnect.ClientService.exe, 00000008.00000002.3925807989.00000000048C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.pdbC: source: ScreenConnect.ClientService.exe, 00000008.00000002.3925807989.00000000048C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: XCnB8SL.exe, 3ba79d.msi.3.dr, MSIA9AE.tmp.3.dr, MSIA9CE.tmp.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 3ba79b.msi.3.dr, 3ba79c.rbs.3.dr, MSIAD0B.tmp.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: XCnB8SL.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3918898605.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: XCnB8SL.exe, 3ba79d.msi.3.dr, MSIA26B.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 3ba79b.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906495064.0000000001682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906495064.0000000001682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3918898605.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: XCnB8SL.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened: c:
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: instance-lsc69n-relay.screenconnect.com
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: svchost.exe, 0000000A.00000002.3723359025.0000016B4DA14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                                  Source: qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/X
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/b
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001D02000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001E65000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001B9E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001C72000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001EE3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001D96000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001E4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/d
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://instance-lsc69n-relay.screenconnect.com:443/t
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: XCnB8SL.exe, 00000000.00000002.2052306376.0000000003281000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: rundll32.exe, 00000005.00000003.2058655733.0000000004913000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000005.00000003.2058655733.0000000004913000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000005.00000003.2058655733.0000000004913000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: XCnB8SL.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.3.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: ScreenConnect.Core.dll.3.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                                  Source: svchost.exe, 0000000A.00000003.2108651745.0000016B4D8E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                                  Source: qmgr.db.10.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49906
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: XCnB8SL.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3ba79b.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{26586069-DB09-5B84-A5DF-3B119579CF02}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9AE.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9CE.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD0B.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3ba79d.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3ba79d.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{26586069-DB09-5B84-A5DF-3B119579CF02}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{26586069-DB09-5B84-A5DF-3B119579CF02}\DefaultIconJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{26586069-DB09-5B84-A5DF-3B119579CF02}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\nd2nd5mw.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\nd2nd5mw.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\jvqwajge.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\jvqwajge.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\o4mub5hk.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\o4mub5hk.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\gmvqx2vn.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\gmvqx2vn.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\asuww1af.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\asuww1af.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\14qsrdww.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\14qsrdww.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\3msh5d2x.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\3msh5d2x.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\4inpdtq2.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\4inpdtq2.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\ta4dbpp0.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\ta4dbpp0.newcfgJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\icmv2rz5.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\icmv2rz5.newcfgJump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIA9CE.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05BE87D80_2_05BE87D8
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05BEBA410_2_05BEBA41
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05BE87C80_2_05BE87C8
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05BE7DB00_2_05BE7DB0
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05C00CB80_2_05C00CB8
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05C01E9B0_2_05C01E9B
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A870DD9_2_00007FF848A870DD
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A810CF9_2_00007FF848A810CF
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A810D79_2_00007FF848A810D7
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D993559_2_00007FF848D99355
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D976FA9_2_00007FF848D976FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D9B6C19_2_00007FF848D9B6C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D92A309_2_00007FF848D92A30
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D9E7209_2_00007FF848D9E720
                                  Source: XCnB8SL.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: XCnB8SL.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: XCnB8SL.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: XCnB8SL.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: XCnB8SL.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: XCnB8SL.exe, 00000000.00000002.2071871270.0000000005EBC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2071871270.0000000005EBC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2071871270.0000000005EBC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2071871270.0000000005EBC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2068560480.0000000005800000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2054338418.0000000004443000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2068419734.0000000005720000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000F2F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2052173480.00000000018F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2069192500.0000000005A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2069192500.0000000005A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs XCnB8SL.exe
                                  Source: XCnB8SL.exe, 00000000.00000002.2069192500.0000000005A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenamezlib.dll2 vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenamewixca.dll\ vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs XCnB8SL.exe
                                  Source: XCnB8SL.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs XCnB8SL.exe
                                  Source: XCnB8SL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: classification engineClassification label: mal63.evad.winEXE@16/66@4/2
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)Jump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XCnB8SL.exe.logJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: XCnB8SL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: XCnB8SL.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA26B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3908312 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: XCnB8SL.exeVirustotal: Detection: 22%
                                  Source: XCnB8SL.exeReversingLabs: Detection: 18%
                                  Source: XCnB8SL.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: XCnB8SL.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeFile read: C:\Users\user\Desktop\XCnB8SL.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\XCnB8SL.exe "C:\Users\user\Desktop\XCnB8SL.exe"
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1ABC939BAD5B2091C3DFE6B16FAB8E93 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA26B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3908312 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60FC33D3A154F12012949CE4C1F7B68A
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F82F1306E1EE0DF6A4C6CD3F8461BBF6 E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=bfc0cff7-743e-4d66-af30-d5a2472baaec&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c="
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe" "RunRole" "63470ffb-1a11-4f64-bd4a-bf35c009e72e" "User"
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1ABC939BAD5B2091C3DFE6B16FAB8E93 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 60FC33D3A154F12012949CE4C1F7B68AJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F82F1306E1EE0DF6A4C6CD3F8461BBF6 E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA26B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3908312 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe" "RunRole" "63470ffb-1a11-4f64-bd4a-bf35c009e72e" "User"Jump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: XCnB8SL.exeStatic PE information: certificate valid
                                  Source: XCnB8SL.exeStatic file information: File size 5620200 > 1048576
                                  Source: XCnB8SL.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: XCnB8SL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: XCnB8SL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: XCnB8SL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: XCnB8SL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: XCnB8SL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: XCnB8SL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: XCnB8SL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: XCnB8SL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: XCnB8SL.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: XCnB8SL.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: XCnB8SL.exe
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.PDBfo source: ScreenConnect.ClientService.exe, 00000008.00000002.3925807989.00000000048C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3918898605.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: XCnB8SL.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906097681.0000000001500000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3908078879.0000000003001000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3906975623.0000000002E82000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: XCnB8SL.exe
                                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2083274157.00000000003DD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: XCnB8SL.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2064470741.0000000004910000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.PDB[ source: ScreenConnect.ClientService.exe, 00000008.00000002.3925807989.00000000048C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
                                  Source: Binary string: \??\C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.pdbC: source: ScreenConnect.ClientService.exe, 00000008.00000002.3925807989.00000000048C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: XCnB8SL.exe, 3ba79d.msi.3.dr, MSIA9AE.tmp.3.dr, MSIA9CE.tmp.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 3ba79b.msi.3.dr, 3ba79c.rbs.3.dr, MSIAD0B.tmp.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: XCnB8SL.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3918898605.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: XCnB8SL.exe, 3ba79d.msi.3.dr, MSIA26B.tmp.2.dr, ScreenConnect.ClientSetup.msi.0.dr, 3ba79b.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906495064.0000000001682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906495064.0000000001682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3918898605.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3916588673.0000000013010000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: XCnB8SL.exe
                                  Source: XCnB8SL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: XCnB8SL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: XCnB8SL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: XCnB8SL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: XCnB8SL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                  Source: ScreenConnect.Client.dll.3.drStatic PE information: 0x94F102E7 [Mon Mar 8 13:28:07 2049 UTC]
                                  Source: MSIA9CE.tmp.3.drStatic PE information: real checksum: 0x0 should be: 0x3d8a7
                                  Source: MSIA26B.tmp.2.drStatic PE information: real checksum: 0x2f213 should be: 0x1125d0
                                  Source: MSIAD0B.tmp.3.drStatic PE information: real checksum: 0x0 should be: 0x3d8a7
                                  Source: XCnB8SL.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x565c97
                                  Source: ScreenConnect.WindowsAuthenticationPackage.dll.3.drStatic PE information: section name: _RDATA
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.3.drStatic PE information: section name: _RDATA
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_018570B0 push eax; mov dword ptr [esp], ecx0_2_018570C1
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05BE6460 pushfd ; retf 0_2_05BE6461
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05BE3AD7 push ebx; retf 0_2_05BE3ADA
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05C03AD2 push ebx; retf 0_2_05C03ADA
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06EF848D push es; ret 5_3_06EF8490
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_04101A25 push 8B02A723h; retf 8_2_04101A2A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_054FFF91 push ss; retn 0014h8_2_054FFFA5
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_054FBB60 push eax; iretd 8_2_054FBB61
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_054FBB78 pushad ; iretd 8_2_054FBB79
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_05C71161 push esp; ret 8_2_05C71173
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_05C71100 pushad ; ret 8_2_05C71113
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A9096D push ebx; retf 9_2_00007FF848A9098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A922B1 push ebx; retf 9_2_00007FF848A922FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A908CD push ebx; retf 9_2_00007FF848A9098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A800BD pushad ; iretd 9_2_00007FF848A800C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D99355 push 0000006Ch; iretd 9_2_00007FF848D993B4
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D9C1A6 push ds; iretd 9_2_00007FF848D9C22F
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D92F5A pushfd ; iretd 9_2_00007FF848D92F5B
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D98F28 push 0000006Ch; iretd 9_2_00007FF848D993B4

                                  Persistence and Installation Behavior

                                  barindex
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (78092984cb0cb00b)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-27d7-3aa2a021a8a7}\inprocserver32
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9CE.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD0B.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9CE.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD0B.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.3.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (78092984cb0cb00b)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: XCnB8SL.exe, 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: XCnB8SL.exe, 00000000.00000002.2069192500.0000000005A00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000005.00000003.2058446825.0000000004A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906097681.0000000001500000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3908078879.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3921425071.000000001BED2000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3906975623.0000000002E82000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: XCnB8SL.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.5.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 1850000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 3280000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 31B0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 6B50000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 6230000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 7B50000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 8B50000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: 8DE0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeMemory allocated: 19F0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeMemory allocated: 1A70000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeMemory allocated: 3A70000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeMemory allocated: 1B000000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9CE.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAD0B.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeAPI coverage: 2.1 %
                                  Source: C:\Users\user\Desktop\XCnB8SL.exe TID: 4796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe TID: 7408Thread sleep count: 33 > 30Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe TID: 7640Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 7596Thread sleep time: -30000s >= -30000s
                                  Source: C:\Windows\System32\svchost.exe TID: 7596Thread sleep time: -30000s >= -30000s
                                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: svchost.exe, 0000000A.00000002.3722965165.0000016B4842B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3723465508.0000016B4DA56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3723422919.0000016B4DA45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.3925807989.00000000048C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeMemory allocated: page read and write | page guardJump to behavior
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (78092984cb0cb00b)\screenconnect.clientservice.exe" "?e=access&y=guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=bfc0cff7-743e-4d66-af30-d5a2472baaec&k=bgiaaackaabsu0exaagaaaeaaqdz3wp49cujwp4h5bw8x1hizbj8xqf10olccxaigzla90hkmwx1pommvdekr%2f1ydt2f%2fcesxcnjci949ntm9ws%2bw5gbyjz72k0cotu%2bcvtipts8tu7niual9hyr6mtxrzs3fwvfyqtzf8xnxff9nhwfltaz09ihyuz%2fxxo2gwvtjaynojjc2bbek8nsdoqvf2gllrcq39zqn%2bfpki7cyzjipm28zym9nafvb4kfnf9ff36n1je3i4j4bmsnjliokqsw5tlxsmw1qdr%2f%2f4kh454a2dls4m6chsnnfuofw2ddjotmpilqdaoawqlbijbke5fu5nzdwzvmkskoaqsbr%2fq%2b&c=screenconnect&c=&c=&c=&c=&c=&c=&c="
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exeCode function: 8_2_054F0784 CreateNamedPipeW,8_2_054F0784
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeCode function: 0_2_05BE2D07 RtlGetVersion,0_2_05BE2D07
                                  Source: C:\Users\user\Desktop\XCnB8SL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: Yara matchFile source: XCnB8SL.exe, type: SAMPLE
                                  Source: Yara matchFile source: 9.2.ScreenConnect.WindowsClient.exe.307fa10.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.0.ScreenConnect.WindowsClient.exe.d10000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.XCnB8SL.exe.5d00000.11.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.XCnB8SL.exe.5d00000.11.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.XCnB8SL.exe.a8c3d4.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.XCnB8SL.exe.ab5db0.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.XCnB8SL.exe.a063d4.5.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.XCnB8SL.exe.9f0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.2071871270.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000002.2074796983.0000000007B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.3908078879.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: XCnB8SL.exe PID: 5536, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7188, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7420, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF073FA8E1DD4A9C2C.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF13029D5D967EF923.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF9705A8FCA773DFDD.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFE0E0B9C080B2419C.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF67873B7E01A4A003.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF2B6392307D5813D3.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\3ba79c.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSIA9AE.tmp, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Replication Through Removable Media                                  		12
                                  Command and Scripting Interpreter                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		22
                                  Masquerading                                  		OS Credential Dumping11
                                  Security Software Discovery                                  		Remote Services1
                                  Archive Collected Data                                  		22
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                                  Windows Service                                  		2
                                  Windows Service                                  		11
                                  Disable or Modify Tools                                  		LSASS Memory2
                                  Process Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Application Layer Protocol                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain AccountsAt1
                                  Bootkit                                  		13
                                  Process Injection                                  		41
                                  Virtualization/Sandbox Evasion                                  		Security Account Manager41
                                  Virtualization/Sandbox Evasion                                  		SMB/Windows Admin SharesData from Network Shared Drive2
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		13
                                  Process Injection                                  		NTDS11
                                  Peripheral Device Discovery                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Hidden Users                                  		LSA Secrets1
                                  File and Directory Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                  Obfuscated Files or Information                                  		Cached Domain Credentials24
                                  System Information Discovery                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                  Bootkit                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  Rundll32                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                  Timestomp                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                                  DLL Side-Loading                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                  DLL Search Order Hijacking                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                  File Deletion                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590620 Sample: XCnB8SL.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 63 55 instance-lsc69n-relay.screenconnect.com 2->55 57 server-ovh3183109-relay.screenconnect.com 2->57 65 Multi AV Scanner detection for submitted file 2->65 67 Detected potential unwanted application 2->67 69 Contains functionality to hide user accounts 2->69 71 3 other signatures 2->71 8 msiexec.exe 94 48 2->8         started        12 ScreenConnect.ClientService.exe 17 23 2->12         started        15 XCnB8SL.exe 6 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 35 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->35 dropped 37 C:\...\ScreenConnect.ClientService.exe, PE32 8->37 dropped 39 C:\Windows\Installer\MSIAD0B.tmp, PE32 8->39 dropped 43 9 other files (none is malicious) 8->43 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        59 server-ovh3183109-relay.screenconnect.com 51.195.188.103, 443, 49705, 49708 OVHFR France 12->59 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 25 ScreenConnect.WindowsClient.exe 2 12->25         started        41 C:\Users\user\AppData\...\XCnB8SL.exe.log, ASCII 15->41 dropped 81 Contains functionality to hide user accounts 15->81 28 msiexec.exe 6 15->28         started        61 127.0.0.1 unknown unknown 17->61 file6 signatures7 process8 file9 31 rundll32.exe 11 19->31         started        83 Contains functionality to hide user accounts 25->83 45 C:\Users\user\AppData\Local\...\MSIA26B.tmp, PE32 28->45 dropped signatures10 process11 file12 47 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->47 dropped 49 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->49 dropped 51 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->51 dropped 53 4 other files (none is malicious) 31->53 dropped 63 Contains functionality to hide user accounts 31->63 signatures13

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  XCnB8SL.exe23%VirustotalBrowse
                                  XCnB8SL.exe18%ReversingLabsWin32.Exploit.ScreenConnectTool

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSIA9CE.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSIAD0B.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://instance-lsc69n-relay.screenconnect.com:443/b0%Avira URL Cloudsafe
                                  https://feedback.screenconnect.com/Feedback.axd0%Avira URL Cloudsafe
                                  http://instance-lsc69n-relay.screenconnect.com:443/0%Avira URL Cloudsafe
                                  http://instance-lsc69n-relay.screenconnect.com:443/t0%Avira URL Cloudsafe
                                  http://instance-lsc69n-relay.screenconnect.com:443/X0%Avira URL Cloudsafe
                                  http://instance-lsc69n-relay.screenconnect.com:443/d0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  server-ovh3183109-relay.screenconnect.com
                                  		51.195.188.103
                                  		truefalse
                                    		unknown
                                    instance-lsc69n-relay.screenconnect.com
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://g.live.com/odclientsettings/Prod/C:edb.log.10.dr, qmgr.db.10.drfalse
                                        		high
                                        http://instance-lsc69n-relay.screenconnect.com:443/XScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://wixtoolset.org/releases/rundll32.exe, 00000005.00000003.2058655733.0000000004913000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                          		high
                                          http://instance-lsc69n-relay.screenconnect.com:443/tScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000005.00000003.2058655733.0000000004913000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                            		high
                                            https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.3.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.3.drfalse
                                              		high
                                              http://crl.ver)svchost.exe, 0000000A.00000002.3723359025.0000016B4DA14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000000A.00000003.2108651745.0000016B4D8E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drfalse
                                                  		high
                                                  http://instance-lsc69n-relay.screenconnect.com:443/bScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://instance-lsc69n-relay.screenconnect.com:443/dScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001D02000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001E65000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001B9E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001C72000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001EE3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001D96000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001E4D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://wixtoolset.org/news/rundll32.exe, 00000005.00000003.2058655733.0000000004913000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2058446825.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.drfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXCnB8SL.exe, 00000000.00000002.2052306376.0000000003281000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3907258191.0000000001AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://instance-lsc69n-relay.screenconnect.com:443/ScreenConnect.ClientService.exe, 00000008.00000002.3903866375.0000000000E61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      51.195.188.103
                                                      		server-ovh3183109-relay.screenconnect.comFrance
                                                      		16276OVHFRfalse

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1590620
                                                      Start date and time:2025-01-14 11:32:45 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 45s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Run name:Run with higher sleep bypass
                                                      Number of analysed new started processes analysed:13
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:XCnB8SL.exe
                                                      Detection:MAL
                                                      Classification:mal63.evad.winEXE@16/66@4/2
                                                      EGA Information:
                                                      • Successful, ratio: 75%
                                                      HCA Information:
                                                      • Successful, ratio: 76%
                                                      • Number of executed functions: 249
                                                      • Number of non-executed functions: 6
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212, 13.107.253.45
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target rundll32.exe, PID 7188 because it is empty
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      OVHFRhttps://offfryfjtht767755433.webflow.io/Get hashmaliciousUnknownBrowse
                                                      • 54.38.113.3
                                                      https://tinyurl.com/ch268ddpGet hashmaliciousUnknownBrowse
                                                      • 5.135.209.105
                                                      https://urlz.fr/tJIZGet hashmaliciousUnknownBrowse
                                                      • 51.38.120.206
                                                      http://id1223.adsalliance.xyzGet hashmaliciousUnknownBrowse
                                                      • 146.59.69.202
                                                      http://aeromorning.comGet hashmaliciousUnknownBrowse
                                                      • 145.239.192.166
                                                      trow.exeGet hashmaliciousUnknownBrowse
                                                      • 178.32.116.144
                                                      https://metafeedbackservice.com/606967319425038/form/Get hashmaliciousUnknownBrowse
                                                      • 54.38.78.53
                                                      http://welcom-trezzor-cdn.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                      • 91.134.10.182
                                                      http://us-suite-trezzor-cdn.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                      • 91.134.10.168

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dllhttps://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188Get hashmaliciousScreenConnect ToolBrowse
                                                        E-Deposit.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          E-Deposit.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                        C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dllhttps://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188Get hashmaliciousScreenConnect ToolBrowse
                                                                          E-Deposit.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            E-Deposit.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                    NotaFiscalOnline.ClientSetup.ex#.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                      file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                        file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse

                                                                                          Created / dropped Files

                                                                                          C:\Config.Msi\3ba79c.rbs

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:modified
                                                                                          Size (bytes):219463
                                                                                          Entropy (8bit):6.58460908773122
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:KI9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG+:KIuH2aCGw1ST1wQLdqv+
                                                                                          MD5:A3C0AF9421D64F0119A76DF01A55E55E
                                                                                          SHA1:B01AC6767C3B2DB752D69B33C85CFA81622F32B8
                                                                                          SHA-256:A2E449018265C83CB3E0B631E63F20058D1C2C4F5A4D7967B918AEB9570D9CBF
                                                                                          SHA-512:6ABD2621A91D1EFEA852E4AA8C160A1A98D2D69A35410B26FE84EFF9F0BBAD004C8E7B3AE16E4DB50A0925D8C1D08D21375FD1C349ED18F7B67E01699CDD2CB6
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\3ba79c.rbs, Author: Joe Security
                                                                                          Preview:...@IXOS.@.....@4,.Z.@.....@.....@.....@.....@.....@......&.{26586069-DB09-5B84-A5DF-3B119579CF02}'.ScreenConnect Client (78092984cb0cb00b)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{26586069-DB09-5B84-A5DF-3B119579CF02}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (78092984cb0cb00b)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3B03205B-69C9-C7FC-94C0-2E89FF1AA279}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{55AD7324-6C8C-8821-306B-DD4B0D7D0490}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{4A48F46B-EB96-8151-8A3F-7BFFFFF17649}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{7C3C87D9-D21D-BA5E-BBB3-7CFC426824C1}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{1D8B9AB5-7721-D02B-DBA6-E7196FEDCEF2}&.{26586069-DB09-5B84-A5DF-3B119579CF02}.@......&.{8DFF9E0B-7DD1-B617-98F6-3F01885CDC9F}&.{26586069-DB09-5B84-A5DF

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\Client.en-US.resources

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):50133
                                                                                          Entropy (8bit):4.759054454534641
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                          MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                          SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                          SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                          SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                          Malicious:false
                                                                                          Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\Client.resources

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):26722
                                                                                          Entropy (8bit):7.7401940386372345
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                          MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                          SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                          SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                          SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                          Malicious:false
                                                                                          Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Client.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):197120
                                                                                          Entropy (8bit):6.586775768189165
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                          MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                          SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                          SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                          SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: , Detection: malicious, Browse
                                                                                          • Filename: E-Deposit.exe, Detection: malicious, Browse
                                                                                          • Filename: E-Deposit.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                          • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                          • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):68096
                                                                                          Entropy (8bit):6.06942231395039
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                          MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                          SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                          SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                          SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: , Detection: malicious, Browse
                                                                                          • Filename: E-Deposit.exe, Detection: malicious, Browse
                                                                                          • Filename: E-Deposit.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                          • Filename: SecuredOnedrive.ClientSetup.exe, Detection: malicious, Browse
                                                                                          • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                          • Filename: NotaFiscalOnline.ClientSetup.ex#.exe, Detection: malicious, Browse
                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):95512
                                                                                          Entropy (8bit):6.504684691533346
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                          MD5:75B21D04C69128A7230A0998086B61AA
                                                                                          SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                          SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                          SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Core.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):548864
                                                                                          Entropy (8bit):6.034211651049746
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                          MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                          SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                          SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                          SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.Windows.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1721856
                                                                                          Entropy (8bit):6.639085961200334
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                          MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                          SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                          SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                          SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):260168
                                                                                          Entropy (8bit):6.416438906122177
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                          MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                          SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                          SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                          SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):61208
                                                                                          Entropy (8bit):6.310126082367387
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                          MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                          SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                          SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                          SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):266
                                                                                          Entropy (8bit):4.842791478883622
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                          MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                          SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                          SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                          SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):602392
                                                                                          Entropy (8bit):6.176232491934078
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                          MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                          SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                          SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                          SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe.config

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):266
                                                                                          Entropy (8bit):4.842791478883622
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                          MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                          SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                          SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                          SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):842248
                                                                                          Entropy (8bit):6.268561504485627
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                          MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                          SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                          SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                          SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):81688
                                                                                          Entropy (8bit):5.8618809599146005
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                          MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                          SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                          SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                          SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileManager.exe.config

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):266
                                                                                          Entropy (8bit):4.842791478883622
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                          MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                          SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                          SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                          SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                          C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\system.config

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (474), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):964
                                                                                          Entropy (8bit):5.755234815592592
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dL9hK6E4dl/5/uLs1KlbR6uHxvrCUxUUvH:chh7HH5WLsU76e1jx5v
                                                                                          MD5:9DD908F9448013CCCE2DFE50617BD36C
                                                                                          SHA1:FDF380092CC6DC57BAF718F8892B9E8DD09B741D
                                                                                          SHA-256:0D52F9B94FB7A946C484778859D64ECDBE3961C13543251656F8731889C4F665
                                                                                          SHA-512:A79CFF2829B9A10DE1BF5625848FEA5D3C782E6B9657E45D8DD0FC2CDEE63838CFAD8504ABBE7802FF60919599EEFFDF24DFD58C2064CE0EBD865C9C61C06840
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=instance-lsc69n-relay.screenconnect.com&amp;p=443&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):8192
                                                                                          Entropy (8bit):0.3588072191296206
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                                          MD5:663C5D6018506231E334FB3EA962ED1C
                                                                                          SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                                          SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                                          SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                                          Malicious:false
                                                                                          Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.8337404512740617
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugV:gJjJGtpTq2yv1AuNZRY3diu8iBVqFr
                                                                                          MD5:4D657B2E57A49C599D393A200ACB88B9
                                                                                          SHA1:C7A47E5293F268142C0C98CF61859027B200A67D
                                                                                          SHA-256:4714874F60E4F5E3A4202769A05BBE74531DE783F751A34AC5309AF406BA3FB2
                                                                                          SHA-512:C7A202B7EA67C1D3260E08BF8E5B0C5A8DFF522365A219C30E64DE0C1B57570B3D9BC6D002FFE2E289285135F0F54A5CCC8212DF881829C618C53A6AA2DC6196
                                                                                          Malicious:false
                                                                                          Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8640f96a, page size 16384, Windows version 10.0
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.658479108998213
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:xSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:xaza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                                          MD5:BCC7E8AB11325D86FC4AA0D1D4282DFC
                                                                                          SHA1:D4EEC963D1E638521EC956E32029EDBC98E931B4
                                                                                          SHA-256:3E90244A70DAC781A8E1D95CAF064800E3A9D06D267280AA9B037BBB3C5279E4
                                                                                          SHA-512:F1132DB2EDFEC730BA89428D410F4D8B26617ED48A93CAFAE0A1066D5880A514DA9A8E548010951CA95CA27764E73472EF4AEC606D9FD8FE8E78B4DC89201EEF
                                                                                          Malicious:false
                                                                                          Preview:.@.j... ...............X\...;...{......................T.~.....5#...}..*!...}].h.|.....5#...}..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................5#...}..................{.j5#...}...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):16384
                                                                                          Entropy (8bit):0.07932900074954069
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:3tOetYe4GrUrwpltjI7pQmk7pYP5zkYWpltJTzwpltAll58Kgvvl/QoeP/ll:drz9LLtw+oWYWLtJTMLtAz8KgR+t
                                                                                          MD5:D10870AFDE209A3BDF537FC52711572C
                                                                                          SHA1:DBE672D1F4267190C9052166804409CD7EC87743
                                                                                          SHA-256:74642E1071F20102AF98C3BE843836845FEEF2AD79E08672A01FB36D8B59FFB0
                                                                                          SHA-512:8D0809F9B91174B24193CE803CE871FD63469DD7FFD7A47B0E732E0458ED1C91937F04C2DBF469E23314809F68B09578E163E2E81510802AC49BF4689AE83C23
                                                                                          Malicious:false
                                                                                          Preview:{.vZ.....................................;...{..*!...}{.5#...}..........5#...}..5#...}..=.9.5#...}...................{.j5#...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XCnB8SL.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\XCnB8SL.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):321
                                                                                          Entropy (8bit):5.36509199858051
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                          MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                          SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                          SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                          SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                          Malicious:true
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):746
                                                                                          Entropy (8bit):5.349174276064173
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                          MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                          SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                          SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                          SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                          Malicious:false
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                          Category:dropped
                                                                                          Size (bytes):1088392
                                                                                          Entropy (8bit):7.789940577622617
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                          MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                          SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                          SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                          SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\CustomAction.config

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):234
                                                                                          Entropy (8bit):4.977464602412109
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                          MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                          SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                          SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                          SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                          Malicious:false
                                                                                          Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):49152
                                                                                          Entropy (8bit):4.62694170304723
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                          MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                          SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                          SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                          SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.Compression.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):36864
                                                                                          Entropy (8bit):4.340550904466943
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                          MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                          SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                          SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                          SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):57344
                                                                                          Entropy (8bit):4.657268358041957
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                          MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                          SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                          SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                          SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):176128
                                                                                          Entropy (8bit):5.775360792482692
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                          MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                          SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                          SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                          SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Core.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):548864
                                                                                          Entropy (8bit):6.034211651049746
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                          MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                          SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                          SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                          SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.InstallerActions.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11776
                                                                                          Entropy (8bit):5.273875899788767
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                          MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                          SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                          SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                          SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                          C:\Users\user\AppData\Local\Temp\MSIA26B.tmp-\ScreenConnect.Windows.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1721856
                                                                                          Entropy (8bit):6.639085961200334
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                          MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                          SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                          SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                          SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                          C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\XCnB8SL.exe
                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {26586069-DB09-5B84-A5DF-3B119579CF02}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                          Category:dropped
                                                                                          Size (bytes):8241152
                                                                                          Entropy (8bit):7.950625352101403
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:9wJ4t1h0cG5FGJRPxow8OswJ4t1h0cG5hwJ4t1h0cG5XwJ4t1h0cG5:aWh0cGwbWh0cGkWh0cGeWh0cG
                                                                                          MD5:6B70BC0DF4BA3F20D5BE63B0397C5683
                                                                                          SHA1:CF8ED2A4EE48A2B9746DA1F27A5227C406C2BDF7
                                                                                          SHA-256:4B6BDD4D93A9288216BA83D840D66ABA82F82B96E4911C06917169A742EA84F0
                                                                                          SHA-512:BF486445AEFE60E3FFF7E07ADCE24A1F3AEEFA3F6B2334AEB3319BD7424123679E2EA76A5C7C18497FC3121F758EC02EC0379C3A53BB7B92AE32B435D2E3663A
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\3ba79b.msi

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {26586069-DB09-5B84-A5DF-3B119579CF02}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                          Category:dropped
                                                                                          Size (bytes):8241152
                                                                                          Entropy (8bit):7.950625352101403
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:9wJ4t1h0cG5FGJRPxow8OswJ4t1h0cG5hwJ4t1h0cG5XwJ4t1h0cG5:aWh0cGwbWh0cGkWh0cGeWh0cG
                                                                                          MD5:6B70BC0DF4BA3F20D5BE63B0397C5683
                                                                                          SHA1:CF8ED2A4EE48A2B9746DA1F27A5227C406C2BDF7
                                                                                          SHA-256:4B6BDD4D93A9288216BA83D840D66ABA82F82B96E4911C06917169A742EA84F0
                                                                                          SHA-512:BF486445AEFE60E3FFF7E07ADCE24A1F3AEEFA3F6B2334AEB3319BD7424123679E2EA76A5C7C18497FC3121F758EC02EC0379C3A53BB7B92AE32B435D2E3663A
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\3ba79d.msi

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {26586069-DB09-5B84-A5DF-3B119579CF02}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                          Category:dropped
                                                                                          Size (bytes):8241152
                                                                                          Entropy (8bit):7.950625352101403
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:9wJ4t1h0cG5FGJRPxow8OswJ4t1h0cG5hwJ4t1h0cG5XwJ4t1h0cG5:aWh0cGwbWh0cGkWh0cGeWh0cG
                                                                                          MD5:6B70BC0DF4BA3F20D5BE63B0397C5683
                                                                                          SHA1:CF8ED2A4EE48A2B9746DA1F27A5227C406C2BDF7
                                                                                          SHA-256:4B6BDD4D93A9288216BA83D840D66ABA82F82B96E4911C06917169A742EA84F0
                                                                                          SHA-512:BF486445AEFE60E3FFF7E07ADCE24A1F3AEEFA3F6B2334AEB3319BD7424123679E2EA76A5C7C18497FC3121F758EC02EC0379C3A53BB7B92AE32B435D2E3663A
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSIA9AE.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):423537
                                                                                          Entropy (8bit):6.578435639004963
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:IuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvw:IuH2anwohwQUv5uH2anwohwQUvw
                                                                                          MD5:B04011630888AA8D899A85031F0F738E
                                                                                          SHA1:20F6C3C750DCD05A0547DA3065C9B97D0462D67C
                                                                                          SHA-256:AC53932C3A5E17F8B59BAA88C1A06CE1348F81DD8BD7D43CB2A5E436A52D69B0
                                                                                          SHA-512:BD073A75761A4F4F908EFD6848AE33091E881F116CDC0DE81F13075C3B24044FBE13F2F91F2EDB0F96D9097965E5FD544E3297FEFC7BDA9CBA93E6CCC135C7AE
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSIA9AE.tmp, Author: Joe Security
                                                                                          Preview:...@IXOS.@.....@4,.Z.@.....@.....@.....@.....@.....@......&.{26586069-DB09-5B84-A5DF-3B119579CF02}'.ScreenConnect Client (78092984cb0cb00b)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{26586069-DB09-5B84-A5DF-3B119579CF02}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (78092984cb0cb00b)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3B03205B-69C9-C7FC-94C0-2E89FF1AA279}^.C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{55AD7324-6C8C-8821-306B-DD4B0D7D0490}f.C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{4A48F46B-EB96-8151-8A3F-7BFFFFF17649}c.C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsFileMa

                                                                                          C:\Windows\Installer\MSIA9CE.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):207360
                                                                                          Entropy (8bit):6.573348437503042
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                          MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                          SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                          SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                          SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\MSIAD0B.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):207360
                                                                                          Entropy (8bit):6.573348437503042
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                          MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                          SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                          SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                          SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\SourceHash{26586069-DB09-5B84-A5DF-3B119579CF02}

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.172752564121284
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:JSbX72FjBhQAGiLIlHVRpIh/7777777777777777777777777vDHFW/ju+kTI+73:Jf2QI5wOS49F
                                                                                          MD5:7370ABEA43AF999759BDAFA357A21AC0
                                                                                          SHA1:A300CA067C0F5153E00DE6573B49057FA1135117
                                                                                          SHA-256:562EBDEF98420C7F8725747BF1E52825851377F9C3E5E044D26BDA61ACB8A25C
                                                                                          SHA-512:7DE2986BC0EABC00CFFE182C5B460BD214DEAE042ECB72C030B59E95FE302770DD91D0BE57E5B807DE5191CE50444EBABF874F30F3B496F701ACC90374253104
                                                                                          Malicious:false
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.8220213382574337
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:l8PhjuRc06WXzIFT5DOqpNxLJqcq56AduvlSiwcdSSk63hR+U/FfCg5nUjQHIFhl:Ihj1tFTdvIpofJdSSxhE0fCg5UjSl
                                                                                          MD5:908E33368EE8905A5292DC3A3686EF3E
                                                                                          SHA1:A2B0B37068EAB9788D043BA340B699D24DBEF056
                                                                                          SHA-256:BA9BB1836FBB049019A5AF4FADC3BCAA8662ADF541EB365BBE8DD951755DC19E
                                                                                          SHA-512:B55B81E11D0F46F38AB86F93050B62A0FFF3E40A31ED52164C60E15B93AC8CD234617A5FC7A757943F2EDF2E43B2C05751676853E8446FEE67CEE919F849BF1A
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Installer\{26586069-DB09-5B84-A5DF-3B119579CF02}\DefaultIcon

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                          Category:dropped
                                                                                          Size (bytes):435
                                                                                          Entropy (8bit):5.289734780210945
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                          MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                          SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                          SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                          SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                          Malicious:false
                                                                                          Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):364484
                                                                                          Entropy (8bit):5.365495302858802
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau7:zTtbmkExhMJCIpEM
                                                                                          MD5:0716406946C34A20E2C2459C0F30ABF7
                                                                                          SHA1:78013C183D638A10B00EDC317DC8D8A187B12D4D
                                                                                          SHA-256:A009A901A08D4847F767B10B6AACB5CE67AA8A67F2BD32446FA8EF03259572A1
                                                                                          SHA-512:5EB7DE1000B4B0CA63A65B8C87FD8EBB0A161640B49F5A2D23240F821FBD3C073862FC51E7D481E39B1E4579E6BBE6ADC79C5538A695458037D6BA41BCD759EB
                                                                                          Malicious:false
                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):55
                                                                                          Entropy (8bit):4.306461250274409
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                          Malicious:false
                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\14qsrdww.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.018936268933301
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSil/vXbAa3xT:2dL9hK6E46YPRH/vH
                                                                                          MD5:D750ECD284814036227B64C805B153E1
                                                                                          SHA1:D3A02669ABA28583B3634C97658FAA07C20BA93A
                                                                                          SHA-256:EDD9CAE9D07C4EA5256E1D6451DFF7A22A9BED000A5DF0FBA498B49643B36086
                                                                                          SHA-512:8F10DA18541E1860675163D796A095BFAFCBD2A173F2396F9E4B420DB476AF38CFF9EE6B3F5E90051CD6A0C9298A8251A97665BD5DF8CA07CD64489F21EAAF1D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a34%3a10</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\3msh5d2x.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.022380111305443
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSis/vXbAa3xT:2dL9hK6E46YPRHwvH
                                                                                          MD5:069EC34472F16E3877D743E65D023C5C
                                                                                          SHA1:0BA4C520D79C4AABCF4163B5B959925FA07E9B64
                                                                                          SHA-256:F58D76E76C154CA9403EE55033C05265BEBC3091CC4DFB89E5E6CE20A56FF955
                                                                                          SHA-512:1F8D6F2A431E25BD91670F65099511C39F40F7E409D1461DB997DD5DA773B6D7CEA80B95D99EBEF30F0D08761DD6449DA5F666F64A8FC2EC80E4348D04949756
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a34%3a24</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\4inpdtq2.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.022876682340405
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSiPe/vXbAa3xT:2dL9hK6E46YPRH5EvH
                                                                                          MD5:257EAECFFD8A4529CE234FD5DD446A54
                                                                                          SHA1:C7DF42317F855F7E3F7252DF48D5B8222AFA81A5
                                                                                          SHA-256:D7DC5A77BE9794DF03C6A12A9F1B473F94CEC04E997260C4F47E4265E295DFF5
                                                                                          SHA-512:C48D8203176740E3BFA44B161765E6F5183C5414125632A1F082A5C4BCD8C23D1FBBB81E0C014EFE9DB7EA85AD770E1B84A47C8FEE9D2AEDE982318E5F343C4E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a34%3a48</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\asuww1af.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.021260415524154
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS6b/vXbAa3xT:2dL9hK6E46YPRHzvH
                                                                                          MD5:508529B241D5B30FBDE68A8D6A9C5B98
                                                                                          SHA1:501B03FFF863A48DA4DFE69095E20D79A4A00713
                                                                                          SHA-256:96D9294006262FBDDAEFA39E0D92E6C8A11707374B3EAACBA71AE27AC25A8B64
                                                                                          SHA-512:7900A1E4E6AB01C227598D18CFDCCDB230C96D4BA802E38DF7DDA2087465B97834BE54265D1591CA433D32155E5B720927AE6A990DE08BA2D4CDF5A7E85D585B
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a33%3a59</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\gmvqx2vn.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.020763844489192
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS6M/vXbAa3xT:2dL9hK6E46YPRHyvH
                                                                                          MD5:2CA2DD8CF1619C17215C66F5DBDCAB37
                                                                                          SHA1:AB0214A43219FE766C1C71F25F0B513D9057EB8D
                                                                                          SHA-256:38D609E344F8D3AE41066A8CE16A304A3C8EA74664454221A9E411B4EC8A6984
                                                                                          SHA-512:F555F99EC8B7B7B831AD813526EFF5CB76529956930596BCF20F155E5B2F2391447B3FC98210A7618619595823C664B1C3B9F8DD8062B95AEF00B23F6ADBAB2D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a33%3a52</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\icmv2rz5.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.021371409654531
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSY/vXbAa3xT:2dL9hK6E46YPRHbvH
                                                                                          MD5:479E3D3B060B7861C4EDC2573AAD3568
                                                                                          SHA1:2FBBB61F3320062633644C429D2A408060DD62FD
                                                                                          SHA-256:D7057F1897865C09BA4D2377C944DADA5541BD00A2D71D8E0C26B3838FE55179
                                                                                          SHA-512:EFD41074EB841767CAAD08428804833A47D88CB28EBAE7280AA7CDC7F1BF83AA0EF8356029F31D67D4CA9C01A49BC39226837095E0F91FA80BF5C074149E581B
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a36%3a12</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\jvqwajge.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.021470591688965
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS6XZIgg/vXbAa3xT:2dL9hK6E46YPRHnZIFvH
                                                                                          MD5:78BEAD5F5D4B34F7D998FB7A50CF0966
                                                                                          SHA1:56B3C272D7FC3CB54C417C1AB8001071275EE566
                                                                                          SHA-256:D7ED34268B94C75673F5EB7062EE3E49E901A95B63A0C8A98AF942A547CE35F4
                                                                                          SHA-512:BFD8DFD9D1399BC4475A456C7809A89CB67CA74FB4113E81900AA693D163DDF02ED6697C60B1EEA519C3CE9DD799A5684ED92A814E70CAD65699494C3BE00080
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a33%3a43</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\nd2nd5mw.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.020533418208936
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS6c/vXbAa3xT:2dL9hK6E46YPRHCvH
                                                                                          MD5:ACD08718204AD2C0FCA5CA94DB4DD365
                                                                                          SHA1:C6117736B84864A72EE41C7631C83DA409D9FD39
                                                                                          SHA-256:82DF5E738BF33EAEE3D8A54BD1EC9CF116502928A95B1C470C29438F0A9B2ED2
                                                                                          SHA-512:12FE0EF9B71419AB6E12BD395C493994252D2EB0D6663E3D7A47AE974BF11F1445067D901B2E09EBBC1234F548809D57BE9A2E37405706CF3F57B0ADCDCFFAAC
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a33%3a41</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\o4mub5hk.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.023841227497362
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS6TZAv/vXbAa3xT:2dL9hK6E46YPRHAvH
                                                                                          MD5:9C421D25CF32AA26F6907D36CF2A6402
                                                                                          SHA1:A36DC9007BA987EB97C1D652BB5FE542E663F47F
                                                                                          SHA-256:4D7F30FD038D60367FF2AF5223DCDFF16FC80CDE2E8F6014F6A39A32B4E32718
                                                                                          SHA-512:3B60DFC6E20854FB56FA9D56825D9B5246FCF7EBD6AE4E159F52F72FADB448DF9DF955792E94FB29686514316F2714CE91A29AB06C47EE70E290D4479213A61D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a33%3a47</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\ta4dbpp0.newcfg

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.020350895907676
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmSzv/vXbAa3xT:2dL9hK6E46YPRHg3vH
                                                                                          MD5:A4D03A8816C839FDF6C0DDE687506A01
                                                                                          SHA1:C037D1F712DC4D6CE00BC34271866DE4242AA334
                                                                                          SHA-256:C6F6EAFD1664FF9E6874595AB52A54D583E6B728D840AAC8BC4771C493FCDBE8
                                                                                          SHA-512:979E52F92619626756EE0361FED22CAF85319BA12F30D918BE8CFC03CA94CEF18CC6C8AEE885296EEFFC5499E3767890B25667252B6C17DB1D92E5DCD6CA0CF6
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a35%3a25</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (78092984cb0cb00b)\user.config (copy)

                                                                                          Download File
                                                                                          Process:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):585
                                                                                          Entropy (8bit):5.020533418208936
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlqmS6c/vXbAa3xT:2dL9hK6E46YPRHCvH
                                                                                          MD5:ACD08718204AD2C0FCA5CA94DB4DD365
                                                                                          SHA1:C6117736B84864A72EE41C7631C83DA409D9FD39
                                                                                          SHA-256:82DF5E738BF33EAEE3D8A54BD1EC9CF116502928A95B1C470C29438F0A9B2ED2
                                                                                          SHA-512:12FE0EF9B71419AB6E12BD395C493994252D2EB0D6663E3D7A47AE974BF11F1445067D901B2E09EBBC1234F548809D57BE9A2E37405706CF3F57B0ADCDCFFAAC
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-lsc69n-relay.screenconnect.com=51.195.188.103-14%2f01%2f2025%2010%3a33%3a41</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                          C:\Windows\Temp\~DF02845A1BCD1311B2.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF073FA8E1DD4A9C2C.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.8220213382574337
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:l8PhjuRc06WXzIFT5DOqpNxLJqcq56AduvlSiwcdSSk63hR+U/FfCg5nUjQHIFhl:Ihj1tFTdvIpofJdSSxhE0fCg5UjSl
                                                                                          MD5:908E33368EE8905A5292DC3A3686EF3E
                                                                                          SHA1:A2B0B37068EAB9788D043BA340B699D24DBEF056
                                                                                          SHA-256:BA9BB1836FBB049019A5AF4FADC3BCAA8662ADF541EB365BBE8DD951755DC19E
                                                                                          SHA-512:B55B81E11D0F46F38AB86F93050B62A0FFF3E40A31ED52164C60E15B93AC8CD234617A5FC7A757943F2EDF2E43B2C05751676853E8446FEE67CEE919F849BF1A
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF073FA8E1DD4A9C2C.TMP, Author: Joe Security
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF13029D5D967EF923.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):1.4360049958364194
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:aa7unth8FXzNT5aUpdOqpNxLJqcq56AduvlSiwcdSSk63hR+U/FfCg5nUjQHIFhl:57HzToedvIpofJdSSxhE0fCg5UjSl
                                                                                          MD5:4594262EEE2F0CB1A8BF792D176DE315
                                                                                          SHA1:F7A4DBF51893D979FB5BC2AAD2668E2514142AA2
                                                                                          SHA-256:B457FEC18825E533CD3A7845E67B1303E4165996AEE9C24013E9C67329FBB3FF
                                                                                          SHA-512:6474D2110FDAF4703C1826BF2ACBA93A72228DBEA15367D45B327C24C8E2FE8452BD3A960A2FA0D71D1DCDFB4AF702DFD1DDE25881CBA5E572FE25CD5CAF8999
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF13029D5D967EF923.TMP, Author: Joe Security
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF1D5EAEF98B831571.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF2B6392307D5813D3.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):1.4360049958364194
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:aa7unth8FXzNT5aUpdOqpNxLJqcq56AduvlSiwcdSSk63hR+U/FfCg5nUjQHIFhl:57HzToedvIpofJdSSxhE0fCg5UjSl
                                                                                          MD5:4594262EEE2F0CB1A8BF792D176DE315
                                                                                          SHA1:F7A4DBF51893D979FB5BC2AAD2668E2514142AA2
                                                                                          SHA-256:B457FEC18825E533CD3A7845E67B1303E4165996AEE9C24013E9C67329FBB3FF
                                                                                          SHA-512:6474D2110FDAF4703C1826BF2ACBA93A72228DBEA15367D45B327C24C8E2FE8452BD3A960A2FA0D71D1DCDFB4AF702DFD1DDE25881CBA5E572FE25CD5CAF8999
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF2B6392307D5813D3.TMP, Author: Joe Security
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF67873B7E01A4A003.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):1.8220213382574337
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:l8PhjuRc06WXzIFT5DOqpNxLJqcq56AduvlSiwcdSSk63hR+U/FfCg5nUjQHIFhl:Ihj1tFTdvIpofJdSSxhE0fCg5UjSl
                                                                                          MD5:908E33368EE8905A5292DC3A3686EF3E
                                                                                          SHA1:A2B0B37068EAB9788D043BA340B699D24DBEF056
                                                                                          SHA-256:BA9BB1836FBB049019A5AF4FADC3BCAA8662ADF541EB365BBE8DD951755DC19E
                                                                                          SHA-512:B55B81E11D0F46F38AB86F93050B62A0FFF3E40A31ED52164C60E15B93AC8CD234617A5FC7A757943F2EDF2E43B2C05751676853E8446FEE67CEE919F849BF1A
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF67873B7E01A4A003.TMP, Author: Joe Security
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DF9705A8FCA773DFDD.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):1.4360049958364194
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:aa7unth8FXzNT5aUpdOqpNxLJqcq56AduvlSiwcdSSk63hR+U/FfCg5nUjQHIFhl:57HzToedvIpofJdSSxhE0fCg5UjSl
                                                                                          MD5:4594262EEE2F0CB1A8BF792D176DE315
                                                                                          SHA1:F7A4DBF51893D979FB5BC2AAD2668E2514142AA2
                                                                                          SHA-256:B457FEC18825E533CD3A7845E67B1303E4165996AEE9C24013E9C67329FBB3FF
                                                                                          SHA-512:6474D2110FDAF4703C1826BF2ACBA93A72228DBEA15367D45B327C24C8E2FE8452BD3A960A2FA0D71D1DCDFB4AF702DFD1DDE25881CBA5E572FE25CD5CAF8999
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF9705A8FCA773DFDD.TMP, Author: Joe Security
                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFB6BB3B4204D8C229.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFD029BFE2B12A710B.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFE0E0B9C080B2419C.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):69632
                                                                                          Entropy (8bit):0.2429090824880612
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:pvKkXDBAduvlS3qcq56AduvlSiwcdSSk63hR+U/FfCg5nUjQHIFh7NrVAHqpNP:RnxpofJdSSxhE0fCg5UjOu
                                                                                          MD5:ADBF41D9CCC167B7F5C4975D25D87F7A
                                                                                          SHA1:F2BA9E6EDB38C236B4E94A95F0118792898644F8
                                                                                          SHA-256:1A3366C352017B55F80494E3F1F2514D9328173F23860CF925D918AEEAA9719A
                                                                                          SHA-512:7293A3407974912A5A9F89FF15D392B8C7376EB8855796DC947BC26492AD34DC1334E8FA3397EF38B2E993408EEF54B1DAAFE3F9D2C609720B60BE653CAF1F26
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFE0E0B9C080B2419C.TMP, Author: Joe Security
                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFE459A8246D0D3F63.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):32768
                                                                                          Entropy (8bit):0.07772108010182531
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOmH/juWfkTV69QASKChiVky6l51:2F0i8n0itFzDHFW/ju+kTI+7r
                                                                                          MD5:604F41315F25EA50492C617E793C924F
                                                                                          SHA1:5BECB03E704B583D809B3F82EF7621DA25F5FA78
                                                                                          SHA-256:65BAD11E0E9EEF6D9B782EA1B6A0937313F07DCF1E82A551344D71B449D71EBA
                                                                                          SHA-512:DEE6737444FBA3DD7BE7823344F5D377699741665106F28BDA2B6068ECAF3C5A6F8D77B260F7B5FA36B83EC012F6BB249BC87276747E6EC9D2923C2AB497CF17
                                                                                          Malicious:false
                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\Temp\~DFFE8E98839CB08DC8.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):512
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                          Malicious:false
                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.429445592604749
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:XCnB8SL.exe
                                                                                          File size:5'620'200 bytes
                                                                                          MD5:775ef50f591afeede47eaafe8374ef2c
                                                                                          SHA1:7feb49273c10fddb392c64b72649556a09f82175
                                                                                          SHA256:03643b6b2ee2967f0fa11d123fbdaf71109eec1c3aa771f5789fda09ef2500af
                                                                                          SHA512:281bc79539a8d72bb43e55372f4fa734f9b8395cf987438f8a8c5ac70f6912d0bbfd04ad826995947e71abdeb15e11ff027f767e670dc50e1a0e6978de3f506f
                                                                                          SSDEEP:49152:0EEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:9Es6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                          TLSH:0946E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                          File Icon

                                                                                          Icon Hash:00928e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4014ad
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:true
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:1
                                                                                          File Version Major:5
                                                                                          File Version Minor:1
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:1
                                                                                          Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                          Authenticode Signature

                                                                                          Signature Valid:true
                                                                                          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                          Signature Validation Error:The operation completed successfully
                                                                                          Error Number:0
                                                                                          Not Before, Not After
                                                                                          • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                          Subject Chain
                                                                                          • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                          Version:3
                                                                                          Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                          Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                          Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                          Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          call 00007FDE850D1F1Ah
                                                                                          jmp 00007FDE850D19CFh
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          push 00000000h
                                                                                          call dword ptr [0040D040h]
                                                                                          push dword ptr [ebp+08h]
                                                                                          call dword ptr [0040D03Ch]
                                                                                          push C0000409h
                                                                                          call dword ptr [0040D044h]
                                                                                          push eax
                                                                                          call dword ptr [0040D048h]
                                                                                          pop ebp
                                                                                          ret
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          sub esp, 00000324h
                                                                                          push 00000017h
                                                                                          call dword ptr [0040D04Ch]
                                                                                          test eax, eax
                                                                                          je 00007FDE850D1B57h
                                                                                          push 00000002h
                                                                                          pop ecx
                                                                                          int 29h
                                                                                          mov dword ptr [004148D8h], eax
                                                                                          mov dword ptr [004148D4h], ecx
                                                                                          mov dword ptr [004148D0h], edx
                                                                                          mov dword ptr [004148CCh], ebx
                                                                                          mov dword ptr [004148C8h], esi
                                                                                          mov dword ptr [004148C4h], edi
                                                                                          mov word ptr [004148F0h], ss
                                                                                          mov word ptr [004148E4h], cs
                                                                                          mov word ptr [004148C0h], ds
                                                                                          mov word ptr [004148BCh], es
                                                                                          mov word ptr [004148B8h], fs
                                                                                          mov word ptr [004148B4h], gs
                                                                                          pushfd
                                                                                          pop dword ptr [004148E8h]
                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                          mov dword ptr [004148DCh], eax
                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                          mov dword ptr [004148E0h], eax
                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                          mov dword ptr [004148ECh], eax
                                                                                          mov eax, dword ptr [ebp-00000324h]
                                                                                          mov dword ptr [00414828h], 00010001h

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                          • [IMP] VS2008 build 21022

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x15fe8
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                          FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                          FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                          FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                          FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                          RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dllCorBindToRuntimeEx
                                                                                          KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                          OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 14, 2025 11:33:42.678608894 CET49705443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:42.678664923 CET4434970551.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:42.678812981 CET49705443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:43.169244051 CET49705443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:43.169267893 CET4434970551.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:43.169564962 CET4434970551.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:45.236618996 CET49708443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:45.236675978 CET4434970851.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:45.236762047 CET49708443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:45.238677979 CET49708443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:45.238719940 CET4434970851.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:45.238857985 CET4434970851.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:48.779500008 CET49711443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:48.779542923 CET4434971151.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:48.779613018 CET49711443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:48.784389019 CET49711443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:48.784404039 CET4434971151.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:48.784481049 CET4434971151.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:53.691448927 CET49715443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:53.691564083 CET4434971551.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:53.691673040 CET49715443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:53.693857908 CET49715443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:33:53.693898916 CET4434971551.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:33:53.693953037 CET4434971551.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:00.558831930 CET49754443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:00.558868885 CET4434975451.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:00.558968067 CET49754443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:00.560986996 CET49754443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:00.561022997 CET4434975451.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:00.561134100 CET4434975451.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:11.458817959 CET49819443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:11.458863974 CET4434981951.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:11.458959103 CET49819443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:11.460891962 CET49819443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:11.460926056 CET4434981951.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:11.460954905 CET4434981951.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:26.035243988 CET49906443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:26.035269976 CET4434990651.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:26.035329103 CET49906443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:26.037501097 CET49906443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:26.037520885 CET4434990651.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:26.037653923 CET4434990651.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:49.372823954 CET49987443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:49.372895956 CET4434998751.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:49.372967958 CET49987443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:49.393064022 CET49987443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:34:49.393098116 CET4434998751.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:34:49.393184900 CET4434998751.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:35:26.598571062 CET49989443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:35:26.598598003 CET4434998951.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:35:26.598696947 CET49989443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:35:26.601141930 CET49989443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:35:26.601159096 CET4434998951.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:35:26.601217031 CET4434998951.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:36:14.262892008 CET49990443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:36:14.262985945 CET4434999051.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:36:14.263099909 CET49990443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:36:14.265590906 CET49990443192.168.2.551.195.188.103
                                                                                          Jan 14, 2025 11:36:14.265629053 CET4434999051.195.188.103192.168.2.5
                                                                                          Jan 14, 2025 11:36:14.265681028 CET4434999051.195.188.103192.168.2.5

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 14, 2025 11:33:42.620836973 CET6221453192.168.2.51.1.1.1
                                                                                          Jan 14, 2025 11:33:42.648658037 CET53622141.1.1.1192.168.2.5
                                                                                          Jan 14, 2025 11:34:25.998481035 CET5925553192.168.2.51.1.1.1
                                                                                          Jan 14, 2025 11:34:26.025121927 CET53592551.1.1.1192.168.2.5
                                                                                          Jan 14, 2025 11:35:26.559947014 CET5505153192.168.2.51.1.1.1
                                                                                          Jan 14, 2025 11:35:26.587795019 CET53550511.1.1.1192.168.2.5
                                                                                          Jan 14, 2025 11:36:14.219890118 CET6344553192.168.2.51.1.1.1
                                                                                          Jan 14, 2025 11:36:14.246414900 CET53634451.1.1.1192.168.2.5

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jan 14, 2025 11:33:42.620836973 CET192.168.2.51.1.1.10xc307Standard query (0)instance-lsc69n-relay.screenconnect.comA (IP address)IN (0x0001)false
                                                                                          Jan 14, 2025 11:34:25.998481035 CET192.168.2.51.1.1.10x3182Standard query (0)instance-lsc69n-relay.screenconnect.comA (IP address)IN (0x0001)false
                                                                                          Jan 14, 2025 11:35:26.559947014 CET192.168.2.51.1.1.10x8e49Standard query (0)instance-lsc69n-relay.screenconnect.comA (IP address)IN (0x0001)false
                                                                                          Jan 14, 2025 11:36:14.219890118 CET192.168.2.51.1.1.10x5e58Standard query (0)instance-lsc69n-relay.screenconnect.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jan 14, 2025 11:33:42.648658037 CET1.1.1.1192.168.2.50xc307No error (0)instance-lsc69n-relay.screenconnect.comserver-ovh3183109-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 14, 2025 11:33:42.648658037 CET1.1.1.1192.168.2.50xc307No error (0)server-ovh3183109-relay.screenconnect.com51.195.188.103A (IP address)IN (0x0001)false
                                                                                          Jan 14, 2025 11:34:26.025121927 CET1.1.1.1192.168.2.50x3182No error (0)instance-lsc69n-relay.screenconnect.comserver-ovh3183109-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 14, 2025 11:34:26.025121927 CET1.1.1.1192.168.2.50x3182No error (0)server-ovh3183109-relay.screenconnect.com51.195.188.103A (IP address)IN (0x0001)false
                                                                                          Jan 14, 2025 11:35:26.587795019 CET1.1.1.1192.168.2.50x8e49No error (0)instance-lsc69n-relay.screenconnect.comserver-ovh3183109-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 14, 2025 11:35:26.587795019 CET1.1.1.1192.168.2.50x8e49No error (0)server-ovh3183109-relay.screenconnect.com51.195.188.103A (IP address)IN (0x0001)false
                                                                                          Jan 14, 2025 11:36:14.246414900 CET1.1.1.1192.168.2.50x5e58No error (0)instance-lsc69n-relay.screenconnect.comserver-ovh3183109-relay.screenconnect.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 14, 2025 11:36:14.246414900 CET1.1.1.1192.168.2.50x5e58No error (0)server-ovh3183109-relay.screenconnect.com51.195.188.103A (IP address)IN (0x0001)false

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:05:33:36
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Users\user\Desktop\XCnB8SL.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\XCnB8SL.exe"
                                                                                          Imagebase:0x9f0000
                                                                                          File size:5'620'200 bytes
                                                                                          MD5 hash:775EF50F591AFEEDE47EAAFE8374EF2C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.2071871270.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.2074796983.0000000007B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.2043074999.0000000000A06000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:05:33:36
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\78092984cb0cb00b\ScreenConnect.ClientSetup.msi"
                                                                                          Imagebase:0x1b0000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:05:33:36
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                          Imagebase:0x7ff7846b0000
                                                                                          File size:69'632 bytes
                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:05:33:37
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 1ABC939BAD5B2091C3DFE6B16FAB8E93 C
                                                                                          Imagebase:0x1b0000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:05:33:37
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA26B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3908312 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                          Imagebase:0xe80000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:05:33:39
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 60FC33D3A154F12012949CE4C1F7B68A
                                                                                          Imagebase:0x1b0000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:05:33:39
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F82F1306E1EE0DF6A4C6CD3F8461BBF6 E Global\MSI0000
                                                                                          Imagebase:0x1b0000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:05:33:40
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-lsc69n-relay.screenconnect.com&p=443&s=bfc0cff7-743e-4d66-af30-d5a2472baaec&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ3wP49cUjwp4h5bW8x1hIzBJ8Xqf10OlCcXAIgZLA90HKMWX1pOmmvdeKr%2f1ydT2f%2fcesxCnJci949ntm9Ws%2bW5GBYjz72K0cOTu%2bCVtiPts8Tu7niuaL9hyr6MtXRZS3fWVFyQtzf8XNxfF9nHwfLtaZ09IhyUz%2fxxO2GwvtJayNOjJc2bbek8NSDoqVF2GLLrCQ39zQn%2bFPKi7cYZJipM28zyM9NaFvB4KFNf9Ff36N1Je3I4j4BmSnJliokqsW5tLXsmW1qDr%2f%2f4Kh454A2DlS4M6cHSNNfUOfw2DDJotMPIlqdAoAWQlbIjbKE5Fu5NzDwZvMKSkOAQsBr%2fq%2b&c=Screenconnect&c=&c=&c=&c=&c=&c=&c="
                                                                                          Imagebase:0x3d0000
                                                                                          File size:95'512 bytes
                                                                                          MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:05:33:41
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe" "RunRole" "63470ffb-1a11-4f64-bd4a-bf35c009e72e" "User"
                                                                                          Imagebase:0xd10000
                                                                                          File size:602'392 bytes
                                                                                          MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.2095104128.0000000000D12000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.3908078879.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (78092984cb0cb00b)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:05:33:42
                                                                                          Start date:14/01/2025
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                          Imagebase:0x7ff7e52b0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.3%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:21.7%
                                                                                            Total number of Nodes:23
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 27241 18518d8 27242 18518e8 27241->27242 27245 18519e0 27242->27245 27249 18541f0 27245->27249 27254 18541e0 27245->27254 27250 185420f 27249->27250 27259 5be14b0 27250->27259 27263 5be14c0 27250->27263 27251 18543ed 27251->27251 27255 185420f 27254->27255 27257 5be14b0 RtlGetVersion 27255->27257 27258 5be14c0 RtlGetVersion 27255->27258 27256 18543ed 27257->27256 27258->27256 27260 5be14ce 27259->27260 27261 5be14d4 27259->27261 27267 5be2d07 27260->27267 27261->27251 27264 5be14ce 27263->27264 27265 5be14d4 27263->27265 27266 5be2d07 RtlGetVersion 27264->27266 27265->27251 27266->27265 27268 5be2d23 27267->27268 27269 5be2e2c 27268->27269 27270 5be2f0c RtlGetVersion 27268->27270 27269->27261 27271 5be2fca 27270->27271 27271->27261

                                                                                            Executed Functions

                                                                                            Function 05BE2D07 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 233COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 70 5be2d07-5be2d22 71 5be2d23-5be2d49 70->71 73 5be2d4b-5be2de6 71->73 80 5be2e58-5be2e6d 73->80 81 5be2de8-5be2dfc 73->81 88 5be2e6f-5be2e8b 80->88 89 5be2ead-5be2ec8 80->89 84 5be2dfe-5be2e00 81->84 85 5be2e02 81->85 86 5be2e05-5be2e26 call 5be2560 84->86 85->86 98 5be2e2c-5be2e57 86->98 99 5be2ef8-5be2fc8 RtlGetVersion 86->99 101 5be2e8d 88->101 102 5be2e95-5be2eab 88->102 94 5be2eca-5be2ece 89->94 96 5be2ed9 94->96 97 5be2ed0 94->97 96->99 97->96 109 5be2fca-5be2fd0 99->109 110 5be2fd1-5be3014 99->110 101->102 102->94 109->110 114 5be301b-5be3022 110->114 115 5be3016 110->115 115->114
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071657437.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5be0000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRjq$`Qjq$`Qjq
                                                                                            • API String ID: 0-2550165541
                                                                                            • Opcode ID: aef888c0185258833108d0d60bf9eb30e1b76b6ed9ab6a50b8722fee16aa981d
                                                                                            • Instruction ID: 6f4741cefdb8b14bf1ba883056697d33ffa4b6f8966b7efb54b75dfc0b72e030
                                                                                            • Opcode Fuzzy Hash: aef888c0185258833108d0d60bf9eb30e1b76b6ed9ab6a50b8722fee16aa981d
                                                                                            • Instruction Fuzzy Hash: 1A81F075A043658FDB11DBA8C8547EABBB6FF45300F0840EAC905EB391EB746C45CB91
                                                                                            Function 05BEBA41 Relevance: 6.9, Strings: 5, Instructions: 664COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 116 5beba41-5beba75 304 5beba77 call 5beba50 116->304 305 5beba77 call 5beba41 116->305 119 5beba7d-5bebaf2 call 5beb338 * 2 call 5bea9d8 131 5bebaf8-5bebafa 119->131 132 5bebbd4-5bebbde 119->132 133 5bebbdf-5bebc3f 131->133 134 5bebb00-5bebb06 131->134 136 5bebc46-5bebcfc 133->136 135 5bebb0c-5bebb1e 134->135 134->136 140 5bebb90-5bebbce call 5beb7b4 135->140 141 5bebb20-5bebb88 135->141 165 5bebd04-5bebd0c 136->165 140->131 140->132 141->140 166 5bebdc0-5bebdc9 165->166 167 5bebdcb-5bebdce 166->167 168 5bebdd4-5bebddb 166->168 167->168 169 5bebd11-5bebd1d 167->169 170 5bebfbf-5bebfc8 168->170 171 5bebde1-5bebe20 call 5beb338 168->171 172 5bebfc9-5bec03d 169->172 173 5bebd23-5bebd3c 169->173 191 5bebe29-5bebe36 171->191 192 5bebe22-5bebe27 171->192 200 5bec1dd-5bec1e7 172->200 201 5bec043-5bec062 172->201 178 5bebd3e-5bebdab 173->178 179 5bebdb3-5bebdbd 173->179 178->179 179->166 195 5bebe39-5bebe76 call 5bea9d8 191->195 192->195 205 5bebfb0-5bebfb9 195->205 206 5bec0cb-5bec0da 201->206 207 5bec064-5bec0c3 call 5beb338 201->207 205->170 208 5bebe7b-5bebeba 205->208 206->200 212 5bec0e0-5bec119 206->212 207->206 223 5bebebc-5bebf29 208->223 224 5bebf31-5bebf86 208->224 212->200 225 5bec11f-5bec122 212->225 223->224 224->205 240 5bebf88-5bebf8a 224->240 225->200 227 5bec128-5bec12b 225->227 230 5bec12d-5bec131 227->230 231 5bec149-5bec15b 227->231 232 5bec13f-5bec143 230->232 233 5bec133-5bec137 230->233 238 5bec15d-5bec1c0 231->238 239 5bec1c8-5bec1d7 231->239 232->231 234 5bec1e8-5bec23d 232->234 233->232 257 5bec23f 234->257 258 5bec245-5bec250 234->258 238->239 239->200 239->212 240->205 243 5bebf8c-5bebfab 240->243 243->170 253 5bebfad 243->253 253->205 257->258 259 5bec25a-5bec25c 258->259 260 5bec252-5bec259 258->260 261 5bec25e-5bec261 259->261 262 5bec2b2-5bec31f 259->262 260->259 261->262 263 5bec263-5bec269 261->263 267 5bec326-5bec34d 262->267 264 5bec26b-5bec270 263->264 265 5bec278-5bec27e 263->265 264->265 265->267 268 5bec284-5bec294 265->268 272 5bec34f 267->272 273 5bec355-5bec360 267->273 275 5bec2ac-5bec2b1 268->275 276 5bec296-5bec29c 268->276 272->273 277 5bec36a-5bec36c 273->277 278 5bec362-5bec369 273->278 279 5bec29e 276->279 280 5bec2a0-5bec2a2 276->280 282 5bec36e-5bec371 277->282 283 5bec3a9-5bec3f1 277->283 278->277 279->275 280->275 282->283 284 5bec373-5bec379 282->284 289 5bec3f8-5bec43b call 5beb7c4 call 5beb7d4 283->289 286 5bec37b-5bec380 284->286 287 5bec388-5bec38e 284->287 286->287 287->289 290 5bec390-5bec3a6 287->290 304->119 305->119
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071657437.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5be0000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq
                                                                                            • API String ID: 0-1033777525
                                                                                            • Opcode ID: 24cc383d5861ed22c2c3bdae0e2b19a6e8eb9d5c8a1ad6a1ca424c8fdc71a679
                                                                                            • Instruction ID: 30a953f341268a60f56749a47c89cdbf6a1721594e156c5294e0c1a25167b121
                                                                                            • Opcode Fuzzy Hash: 24cc383d5861ed22c2c3bdae0e2b19a6e8eb9d5c8a1ad6a1ca424c8fdc71a679
                                                                                            • Instruction Fuzzy Hash: 94429F70A006068FCB14DF68D994AAEFBF2FF88310B14856DE4199B7A5DB34ED45CB90
                                                                                            Function 05BE87D8 Relevance: 1.9, Strings: 1, Instructions: 695COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 554 5be87d8-5be8823 call 5be3690 703 5be8825 call 5be87d8 554->703 704 5be8825 call 5be87c8 554->704 705 5be8825 call 5be4e40 554->705 706 5be8825 call 5be9450 554->706 558 5be882b-5be888d call 5bea0f0 694 5be888f call 5bef55e 558->694 695 5be888f call 5bef475 558->695 564 5be8895-5be88ff 699 5be8901 call 5c02c90 564->699 700 5be8901 call 5c02c81 564->700 570 5be8907-5be894b 707 5be894d call 5c02c90 570->707 708 5be894d call 5c02c81 570->708 574 5be8953-5be89f4 581 5be89fa-5be8a2f 574->581 582 5be9445-5be94e5 call 5be4e40 call 5be9b58 574->582 581->582 585 5be8a35-5be8a6a 581->585 601 5be94eb-5be9534 582->601 585->582 588 5be8a70-5be8aa5 585->588 588->582 592 5be8aab-5be8ae0 588->592 592->582 595 5be8ae6-5be8b1b 592->595 595->582 600 5be8b21-5be8b3c 595->600 603 5be8bcb-5be8bde 600->603 604 5be8b42-5be8b6e 600->604 606 5be8bf7-5be8c06 603->606 607 5be8be0-5be8bf5 603->607 611 5be8bbc-5be8bc5 604->611 612 5be8b70-5be8bb4 604->612 608 5be8c0c-5be8c12 606->608 607->608 701 5be8c14 call 5c049e0 608->701 702 5be8c14 call 5c04a4a 608->702 611->603 611->604 612->611 613 5be8c1a-5be8c33 615 5be8cae-5be8ccb 613->615 616 5be8c35-5be8cac 613->616 618 5be8ce8-5be9033 615->618 616->615 621 5be8ccd-5be8ce2 616->621 667 5be91cd-5be91e9 618->667 668 5be9039-5be91b1 618->668 621->618 670 5be91eb 667->670 671 5be91f7 667->671 697 5be91b3 call 5c04c90 668->697 698 5be91b3 call 5c04c50 668->698 670->671 671->582 692 5be91b9-5be91c7 692->667 692->668 694->564 695->564 697->692 698->692 699->570 700->570 701->613 702->613 703->558 704->558 705->558 706->558 707->574 708->574
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071657437.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5be0000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID: 0-3916222277
                                                                                            • Opcode ID: 786d603a0020fca924418e7f90ab862fb877ce6962c9fe1fc0d8d48f2c0378f7
                                                                                            • Instruction ID: 18774cad9d1a3cd3dba9bcdb8c82b39bbafdabb50816acdd92210c3e54cb3bb7
                                                                                            • Opcode Fuzzy Hash: 786d603a0020fca924418e7f90ab862fb877ce6962c9fe1fc0d8d48f2c0378f7
                                                                                            • Instruction Fuzzy Hash: 4F628E34A01219CFCB15DF28D858B9EBBB6FF89300F108599E909A7355DB35AD85CFA0
                                                                                            Function 05BE87C8 Relevance: 1.9, Strings: 1, Instructions: 617COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 710 5be87c8-5be8823 call 5be3690 856 5be8825 call 5be87d8 710->856 857 5be8825 call 5be87c8 710->857 858 5be8825 call 5be4e40 710->858 859 5be8825 call 5be9450 710->859 714 5be882b-5be888d call 5bea0f0 863 5be888f call 5bef55e 714->863 864 5be888f call 5bef475 714->864 720 5be8895-5be88ff 852 5be8901 call 5c02c90 720->852 853 5be8901 call 5c02c81 720->853 726 5be8907-5be894b 860 5be894d call 5c02c90 726->860 861 5be894d call 5c02c81 726->861 730 5be8953-5be89f4 737 5be89fa-5be8a2f 730->737 738 5be9445-5be94e5 call 5be4e40 call 5be9b58 730->738 737->738 741 5be8a35-5be8a6a 737->741 757 5be94eb-5be9534 738->757 741->738 744 5be8a70-5be8aa5 741->744 744->738 748 5be8aab-5be8ae0 744->748 748->738 751 5be8ae6-5be8b1b 748->751 751->738 756 5be8b21-5be8b3c 751->756 759 5be8bcb-5be8bde 756->759 760 5be8b42-5be8b6e 756->760 762 5be8bf7-5be8c06 759->762 763 5be8be0-5be8bf5 759->763 767 5be8bbc-5be8bc5 760->767 768 5be8b70-5be8bb4 760->768 764 5be8c0c-5be8c12 762->764 763->764 854 5be8c14 call 5c049e0 764->854 855 5be8c14 call 5c04a4a 764->855 767->759 767->760 768->767 769 5be8c1a-5be8c33 771 5be8cae-5be8ccb 769->771 772 5be8c35-5be8cac 769->772 774 5be8ce8-5be9033 771->774 772->771 777 5be8ccd-5be8ce2 772->777 823 5be91cd-5be91e9 774->823 824 5be9039-5be91b1 774->824 777->774 826 5be91eb 823->826 827 5be91f7 823->827 850 5be91b3 call 5c04c90 824->850 851 5be91b3 call 5c04c50 824->851 826->827 827->738 848 5be91b9-5be91c7 848->823 848->824 850->848 851->848 852->726 853->726 854->769 855->769 856->714 857->714 858->714 859->714 860->730 861->730 863->720 864->720
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071657437.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5be0000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID: 0-3916222277
                                                                                            • Opcode ID: 530fe98816f529d2580bd279d7c1d3e938c1e2abfb3f08dd784b96391bbf5dbc
                                                                                            • Instruction ID: 1635b14fa07c7cf4e200cef0241bfdc41302e4ac8dca5ee6ad72bf9e787bc393
                                                                                            • Opcode Fuzzy Hash: 530fe98816f529d2580bd279d7c1d3e938c1e2abfb3f08dd784b96391bbf5dbc
                                                                                            • Instruction Fuzzy Hash: C5428D34A01218CFCB15DF28D858BADBBB6FF89300F148599E909A7355DB35AD85CFA0
                                                                                            Function 05C00CB8 Relevance: 1.2, Instructions: 1196COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ccbf8e85050a431862be0c2d6c07a8934e2ec66dba9f1d840aff4bb634f3731
                                                                                            • Instruction ID: 79313b26193c8c4361cc2e8eab92732f7d5bd5dafdce57030d2af150c7338d87
                                                                                            • Opcode Fuzzy Hash: 7ccbf8e85050a431862be0c2d6c07a8934e2ec66dba9f1d840aff4bb634f3731
                                                                                            • Instruction Fuzzy Hash: 63B23875A002049FDB14DFA8C888AADBBF2FF88310F558559E959AB3A5DB30ED41CF50
                                                                                            Function 05C00848 Relevance: 9.0, Strings: 7, Instructions: 220COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 5c00848-5c00872 2 5c00891-5c0089d 0->2 3 5c00874-5c0088e 0->3 6 5c008c0-5c008cc 2->6 7 5c0089f-5c008bd 2->7 11 5c008d2-5c008d7 6->11 12 5c009d5-5c009e1 6->12 14 5c008f5 11->14 15 5c008d9-5c008df 11->15 21 5c00a21-5c00a40 12->21 22 5c009e3-5c009e9 12->22 16 5c008f7-5c0090f 14->16 18 5c008e1-5c008e3 15->18 19 5c008e5-5c008f1 15->19 28 5c00915-5c0091e 16->28 29 5c009bf-5c009d2 16->29 20 5c008f3 18->20 19->20 20->16 40 5c00a42-5c00a6c 21->40 41 5c00a89-5c00a8c 21->41 25 5c009f7-5c00a1e 22->25 26 5c009eb-5c009ed 22->26 26->25 34 5c00920-5c00926 28->34 35 5c0093c 28->35 38 5c00928-5c0092a 34->38 39 5c0092c-5c00938 34->39 36 5c0093e-5c00960 35->36 68 5c00962 call 5c00848 36->68 69 5c00962 call 5c00838 36->69 42 5c0093a 38->42 39->42 50 5c00a74-5c00a87 40->50 51 5c00a6e 40->51 64 5c00a8e call 5c00ac8 41->64 65 5c00a8e call 5c00ab9 41->65 42->36 45 5c00a94-5c00a98 49 5c00968-5c00979 66 5c0097b call 5c00848 49->66 67 5c0097b call 5c00838 49->67 50->41 52 5c00a70-5c00a72 51->52 53 5c00a99-5c00ab4 51->53 52->50 52->53 57 5c00981-5c0099a 59 5c009b4-5c009b8 57->59 60 5c0099c-5c009a2 57->60 59->29 61 5c009a4 60->61 62 5c009a6-5c009b2 60->62 61->59 62->59 64->45 65->45 66->57 67->57 68->49 69->49
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq
                                                                                            • API String ID: 0-4136267279
                                                                                            • Opcode ID: c6c2a3ddf6d8b926a45b4d677fe8cafc34c90c388b471794391f40354d90dca1
                                                                                            • Instruction ID: cf04ac660d98960bda707f6515a1a32f83cf7769dff56bfc0c2d7ad77bf43ebe
                                                                                            • Opcode Fuzzy Hash: c6c2a3ddf6d8b926a45b4d677fe8cafc34c90c388b471794391f40354d90dca1
                                                                                            • Instruction Fuzzy Hash: C5612431B416158FCB24DB6998546BEBBA7FFC8320B65482AD845A7284DF31DD01C7E0
                                                                                            Function 01857A30 Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 306 1857a30-1857a7f 311 1857a81-1857a95 306->311 312 1857abd-1857ad5 306->312 317 1857a97 311->317 318 1857a9e-1857abb 311->318 315 1857ad7-1857aeb 312->315 316 1857b13-1857b2b 312->316 324 1857af4-1857b11 315->324 325 1857aed 315->325 322 1857b2d-1857b41 316->322 323 1857b69-1857b8e 316->323 317->318 318->312 330 1857b43 322->330 331 1857b4a-1857b67 322->331 334 1857b90-1857ba4 323->334 335 1857bcc-1857c05 323->335 324->316 325->324 330->331 331->323 340 1857ba6 334->340 341 1857bad-1857bca 334->341 347 1857c07-1857c1b 335->347 348 1857c43-1857c7c 335->348 340->341 341->335 351 1857c24-1857c41 347->351 352 1857c1d 347->352 358 1857c7e-1857c92 348->358 359 1857cba-1857cc9 348->359 351->348 352->351 362 1857c94 358->362 363 1857c9b-1857cb8 358->363 362->363 363->359
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #!$K6$7
                                                                                            • API String ID: 0-185628103
                                                                                            • Opcode ID: 99c60cccdd95e97c4ce3a7b5cfd1beb85b478027baf7863c84faad15dd4ada0f
                                                                                            • Instruction ID: 90a21e17a3201d4fe007b17842a895d4daf7bd0bbcafcb0e8237f42e4a06daae
                                                                                            • Opcode Fuzzy Hash: 99c60cccdd95e97c4ce3a7b5cfd1beb85b478027baf7863c84faad15dd4ada0f
                                                                                            • Instruction Fuzzy Hash: 1B5154303102024BC759AB6DA594A5E77EBEBCC760754C629DA19CB348EF78ED09C780
                                                                                            Function 05C02C90 Relevance: 2.8, Strings: 2, Instructions: 340COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 366 5c02c90-5c02cf8 370 5c02d61-5c02d67 366->370 371 5c02cfa 366->371 449 5c02d6a call 5c02c90 370->449 450 5c02d6a call 5c02c81 370->450 372 5c02cfd-5c02d03 371->372 374 5c02d89-5c02de8 372->374 375 5c02d09-5c02d13 372->375 373 5c02d70-5c02d86 call 5c02820 387 5c02e1a-5c02e1f call 5beff80 374->387 388 5c02dea-5c02df9 374->388 375->374 377 5c02d15-5c02d1c call 5c00848 375->377 381 5c02d21-5c02d5f 377->381 381->370 381->372 389 5c02e25-5c02e47 387->389 391 5c02ed6-5c02ee0 388->391 392 5c02dff-5c02e0a 388->392 395 5c02ec9-5c02ed3 389->395 396 5c02e4d 389->396 399 5c02ee2 391->399 400 5c02ee3-5c02eff 391->400 392->391 394 5c02e10-5c02e18 392->394 394->387 394->388 398 5c02e50-5c02e66 396->398 409 5c02e68-5c02e6d 398->409 410 5c02e6f 398->410 399->400 401 5c02fb0-5c02fd5 400->401 402 5c02f05-5c02f07 400->402 404 5c02fdc-5c02fe0 401->404 402->404 405 5c02f0d-5c02f11 402->405 407 5c02fe2-5c02fe8 404->407 408 5c02fea 404->408 405->404 411 5c02f17-5c02f1f 405->411 412 5c02ff0-5c0301c 407->412 408->412 413 5c02e74-5c02e7a 409->413 410->413 414 5c03023-5c0307b 411->414 415 5c02f25-5c02f27 411->415 412->414 417 5c02eb2-5c02ec7 413->417 418 5c02e7c 413->418 447 5c03083 414->447 448 5c0307d 414->448 419 5c02f37-5c02f3b 415->419 420 5c02f29-5c02f31 415->420 417->395 417->398 423 5c02e7f-5c02e85 418->423 424 5c02fa9-5c02fad 419->424 425 5c02f3d-5c02f41 419->425 420->414 420->419 423->391 427 5c02e87-5c02eb0 423->427 428 5c02f43-5c02f57 425->428 429 5c02f59-5c02f6d 425->429 427->417 427->423 428->429 436 5c02f76-5c02f78 428->436 429->436 437 5c02f6f-5c02f73 429->437 439 5c02f91-5c02fa1 436->439 440 5c02f7a-5c02f8e 436->440 452 5c02fa3 call 5c03198 439->452 453 5c02fa3 call 5c03189 439->453 448->447 449->373 450->373 452->424 453->424
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq$Hnq
                                                                                            • API String ID: 0-3116299003
                                                                                            • Opcode ID: 944efe1d17caf465dc8e27fd27f70ca3f33eef0badb1b254795327c11fcce3aa
                                                                                            • Instruction ID: a59d121fa9e952ef4e05ca2cca1b0c30481914a4e8c7225272cc48494134f360
                                                                                            • Opcode Fuzzy Hash: 944efe1d17caf465dc8e27fd27f70ca3f33eef0badb1b254795327c11fcce3aa
                                                                                            • Instruction Fuzzy Hash: F2C17275B001199FCB04DFA9C588AAEBBB6FF88310F158469E915E7394DB34ED41CBA0
                                                                                            Function 0185D531 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 454 185d531-185d558 455 185d635-185d65a 454->455 456 185d55e-185d560 454->456 458 185d661-185d665 455->458 457 185d566-185d56a 456->457 456->458 457->458 462 185d570-185d578 457->462 459 185d667-185d66d 458->459 460 185d66f 458->460 463 185d675-185d6a1 459->463 460->463 465 185d57e-185d582 462->465 466 185d6a8-185d6f4 462->466 463->466 469 185d588-185d58c 465->469 470 185d62b-185d632 465->470 496 185d6fc-185d701 466->496 472 185d5b1-185d5c5 469->472 473 185d58e-185d596 469->473 481 185d5c7-185d5ce 472->481 482 185d5d1-185d5e2 472->482 476 185d5a4 473->476 477 185d598-185d59a 473->477 500 185d5a6 call 185d505 476->500 501 185d5a6 call 185d531 476->501 502 185d5a6 call 185d6e0 476->502 503 185d5a6 call 185d6f0 476->503 477->476 480 185d5ac-185d5af 480->472 480->482 484 185d5e4-185d5f0 482->484 485 185d5f2 482->485 487 185d5f4-185d603 484->487 485->487 492 185d605-185d611 487->492 493 185d613 487->493 495 185d616-185d628 492->495 493->495 498 185d629 call 185dac8 495->498 499 185d629 call 185dad8 495->499 498->470 499->470 500->480 501->480 502->480 503->480
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq$Hnq
                                                                                            • API String ID: 0-3116299003
                                                                                            • Opcode ID: 09c6d8434ef952ae28acd94533e00234273f20531523f3eb10c03e39b9981911
                                                                                            • Instruction ID: cecfb62dc5597b3273b7082339e36f4970b359f16578e9e515cb5139dc370546
                                                                                            • Opcode Fuzzy Hash: 09c6d8434ef952ae28acd94533e00234273f20531523f3eb10c03e39b9981911
                                                                                            • Instruction Fuzzy Hash: F131E231B002458FCB849EAC844876F7BE2EF94351F15466ADD09DB385DE34DE02C7A1
                                                                                            Function 05C04C90 Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 504 5c04c90-5c04c9b 505 5c04cc8-5c04cf3 504->505 506 5c04c9d-5c04ca0 504->506 508 5c04cfa-5c04d25 505->508 507 5c04ca2-5c04caa 506->507 506->508 509 5c04cb0-5c04cc7 507->509 510 5c04d2c-5c04dc2 call 5c051da call 5c0645f call 5c02820 507->510 508->510 534 5c04dc7-5c04dcb 510->534
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq$Tejq
                                                                                            • API String ID: 0-942063033
                                                                                            • Opcode ID: dd6bffa746b776d23dd7f5fc8e7fd456342a8846c6d4876f9449baf88078206e
                                                                                            • Instruction ID: 7a6057927ce4d1450fcb4b6ea580c8dd3ce4b0419a1a5eba06b49c0d776d9c46
                                                                                            • Opcode Fuzzy Hash: dd6bffa746b776d23dd7f5fc8e7fd456342a8846c6d4876f9449baf88078206e
                                                                                            • Instruction Fuzzy Hash: 0E31D3317042544FCB45AB7C84A842FBF96AFD636032984A9D50ACB3D6DE22ED07C7A5
                                                                                            Function 05C08935 Relevance: 2.2, Strings: 1, Instructions: 991COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 537 5c08935-5c08d6a call 5c08914 551 5c08d6c call 5c08dd0 537->551 552 5c08d6c call 5c08e00 537->552 553 5c08d6c call 5c08e10 537->553 543 5c08d72-5c08db0 548 5c08db2 543->548 549 5c08dbb 543->549 548->549 550 5c08dbc 549->550 550->550 551->543 552->543 553->543
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq
                                                                                            • API String ID: 0-2468842661
                                                                                            • Opcode ID: 59f94dc4e1f83cee347064b20c28561609e0560989aaf105e708cfda2cdc5159
                                                                                            • Instruction ID: 13c05cfd302beff997966a2501d324c88fdb8fceaab32ea2b8cce11c72a51e6b
                                                                                            • Opcode Fuzzy Hash: 59f94dc4e1f83cee347064b20c28561609e0560989aaf105e708cfda2cdc5159
                                                                                            • Instruction Fuzzy Hash: 1B217F71A05341CFCB15AF28C858A9DBBF2BF89310B1544AAD402EB7A1CF759D46CBA1
                                                                                            Function 05C051DA Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 866 5c051da-5c0521f 869 5c05225-5c05267 866->869 870 5c054f8-5c0551c 866->870 879 5c05269-5c0526c 869->879 880 5c0529d-5c052be 869->880 878 5c05523-5c05586 870->878 881 5c0526f-5c05278 879->881 886 5c05371-5c0537b 880->886 887 5c052c4-5c052cd 880->887 881->878 883 5c0527e-5c0529b 881->883 883->880 883->881 890 5c054f0-5c054f7 886->890 891 5c05381-5c0538a 886->891 887->878 888 5c052d3-5c052f9 887->888 903 5c05308-5c05315 888->903 891->878 893 5c05390-5c053b9 891->893 893->878 902 5c053bf-5c053e3 893->902 902->878 906 5c053e9-5c053f5 902->906 909 5c05317-5c05320 903->909 910 5c052fb-5c05302 903->910 907 5c054e0-5c054ea 906->907 908 5c053fb-5c05405 906->908 907->890 907->891 908->878 911 5c0540b-5c05427 908->911 909->878 912 5c05326-5c05343 909->912 910->903 911->878 916 5c0542d-5c05439 911->916 912->878 915 5c05349-5c0536b 912->915 915->886 915->887 916->878 917 5c0543f-5c05450 916->917 917->878 919 5c05456-5c05461 917->919 921 5c0546b-5c0547b 919->921 921->878 923 5c05481-5c0548d 921->923 923->878 924 5c05493-5c054a8 923->924 924->878 925 5c054aa-5c054cb 924->925 925->878 927 5c054cd-5c054da 925->927 927->907 927->908
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq
                                                                                            • API String ID: 0-2468842661
                                                                                            • Opcode ID: cde75e2e30c408fa3dea48bcc2254d7f17e761e9487e2a9d2de5b692c131ba97
                                                                                            • Instruction ID: 61692db898eec984f43e34cb174b9ba4b23963ac5d96ddca251fc62f3dba5812
                                                                                            • Opcode Fuzzy Hash: cde75e2e30c408fa3dea48bcc2254d7f17e761e9487e2a9d2de5b692c131ba97
                                                                                            • Instruction Fuzzy Hash: EFC14975600616CFCB04DF58C584DAABBF2FF84304B968899E5469B2A6DB30FD45CBA0
                                                                                            Function 05C08DD0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1031 5c08dd0-5c08ded 1032 5c08dfb-5c08e30 1031->1032 1033 5c08def-5c08df9 1031->1033 1034 5c08f62-5c08f88 1032->1034 1035 5c08e36-5c08e42 1032->1035 1040 5c08f8f-5c08fdc 1034->1040 1039 5c08e48-5c08e96 1035->1039 1035->1040 1059 5c08f03-5c08f09 1039->1059 1051 5c09040-5c09044 1040->1051 1052 5c08fde-5c08fe2 1040->1052 1052->1051 1053 5c08fe4-5c0903c 1052->1053 1053->1051 1061 5c08e98-5c08ea6 1059->1061 1062 5c08f0b-5c08f61 1059->1062 1066 5c08ea8-5c08ee6 1061->1066 1067 5c08ee9 1061->1067 1066->1067 1079 5c08eeb call 5bec708 1067->1079 1080 5c08eeb call 5bec998 1067->1080 1081 5c08eeb call 5bec6f9 1067->1081 1072 5c08ef0-5c08efc 1075 5c08f02 1072->1075 1075->1059 1079->1072 1080->1072 1081->1072
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'jq
                                                                                            • API String ID: 0-3676250632
                                                                                            • Opcode ID: a7d05033422b1f1f621e31f9240e878dff1673f867a924a3031477e1fe48304d
                                                                                            • Instruction ID: f8c9d7224d6655043fb1523b096b21ba496738870be5b413a2a05c8ef74cbc46
                                                                                            • Opcode Fuzzy Hash: a7d05033422b1f1f621e31f9240e878dff1673f867a924a3031477e1fe48304d
                                                                                            • Instruction Fuzzy Hash: 8261E175B042008FC755DB78C894B6EBBF2FF89220F1484A9E546DB7A1DB34AD02CB90
                                                                                            Function 01858A98 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1082 1858a98-1858ab8 1083 1858ae2-1858af1 1082->1083 1084 1858aba-1858adb 1082->1084 1085 1858af3 1083->1085 1086 1858afd-1858b0a 1083->1086 1084->1083 1085->1086 1090 1858b10-1858b1f 1086->1090 1091 1858bde-1858bf2 1086->1091 1094 1858b21 1090->1094 1095 1858b2b-1858b37 1090->1095 1092 1858bf4 1091->1092 1093 1858bfe-1858c21 1091->1093 1092->1093 1106 1858c23 1093->1106 1107 1858c2d-1858c37 1093->1107 1094->1095 1099 1858b70-1858b7f 1095->1099 1100 1858b39-1858b48 1095->1100 1101 1858b81 1099->1101 1102 1858b8b-1858bb2 1099->1102 1103 1858b54-1858b6f 1100->1103 1104 1858b4a 1100->1104 1101->1102 1113 1858bb4 1102->1113 1114 1858bbe-1858bdd 1102->1114 1104->1103 1106->1107 1127 1858c3a call 1858da8 1107->1127 1128 1858c3a call 1858d9b 1107->1128 1113->1114 1115 1858c40-1858c42 1116 1858c44-1858c53 1115->1116 1117 1858c88-1858ca1 1115->1117 1118 1858c55 1116->1118 1119 1858c5f-1858c86 1116->1119 1122 1858ca3 1117->1122 1123 1858cac 1117->1123 1118->1119 1119->1116 1119->1117 1122->1123 1127->1115 1128->1115
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq
                                                                                            • API String ID: 0-2756854522
                                                                                            • Opcode ID: 78dc26a59ca76c1851106623b30991d3e5d4d477348a54095046afc58eca773a
                                                                                            • Instruction ID: afb5ad24c558ff5d0989f3debe623304caf37295f8ddb20e00b3e51153eacb21
                                                                                            • Opcode Fuzzy Hash: 78dc26a59ca76c1851106623b30991d3e5d4d477348a54095046afc58eca773a
                                                                                            • Instruction Fuzzy Hash: 98611634B106098FDB54DF69D8949AEB7B6FF8E304B1081A9E906DB325DB70ED02CB41
                                                                                            Function 01858A89 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq
                                                                                            • API String ID: 0-2756854522
                                                                                            • Opcode ID: 629eea337aeda11fff2be6808961855395280ac4e3dacb5aebe8d7409b0bc54a
                                                                                            • Instruction ID: 2e0b069de4fb80dc7a929d6a64588e819b36adf66a949571e0dad1c24b564fa4
                                                                                            • Opcode Fuzzy Hash: 629eea337aeda11fff2be6808961855395280ac4e3dacb5aebe8d7409b0bc54a
                                                                                            • Instruction Fuzzy Hash: D9518F75B002048FCB46DF69D4D496EBBF6EF89310714816AE90ADB369EB30ED05CB51
                                                                                            Function 0185D505 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Hnq
                                                                                            • API String ID: 0-2896580000
                                                                                            • Opcode ID: d43915ee18683ae5fcfe548101b230de607b3c88675bca0765f0b57834c660fe
                                                                                            • Instruction ID: 6224c2cbdc93ebf33b9ef5b6279eed0d44ec0555d2776c088edad26cec09c309
                                                                                            • Opcode Fuzzy Hash: d43915ee18683ae5fcfe548101b230de607b3c88675bca0765f0b57834c660fe
                                                                                            • Instruction Fuzzy Hash: 6E31CD34B002498FCB55DFA8C5856AEBBE2FF84314F1485AAED09CB355CA30DE05C7A1
                                                                                            Function 0185B9B0 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: {O%q^
                                                                                            • API String ID: 0-2260729532
                                                                                            • Opcode ID: bb7786bf810258edd5c80a21a3734315c8a2f7bd8311482e4e216ab042677756
                                                                                            • Instruction ID: 198f0f82d492b39f5563e7a41dc7aa680b63b3a7bbd6dd51b04181743aa256a9
                                                                                            • Opcode Fuzzy Hash: bb7786bf810258edd5c80a21a3734315c8a2f7bd8311482e4e216ab042677756
                                                                                            • Instruction Fuzzy Hash: C63128313002524BC746A77CA5A4A5E3BDBDFD9350744816ACA09CB399FE68DD09C7D1
                                                                                            Function 0185897F Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ^
                                                                                            • API String ID: 0-1590793086
                                                                                            • Opcode ID: df969b4e5cd1d13f2d32ee23ac3bf9a3da50da2469d5522ba4fd03afea79991a
                                                                                            • Instruction ID: 626392ee4910587c0ef9cd693d22a324d06f294d131c93dbb078f3d5f334a05f
                                                                                            • Opcode Fuzzy Hash: df969b4e5cd1d13f2d32ee23ac3bf9a3da50da2469d5522ba4fd03afea79991a
                                                                                            • Instruction Fuzzy Hash: F83194757042418FCB42DF39D49595ABFB6EF96320704806BDD49CB36ADA30DD09CB62
                                                                                            Function 0185B9E8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: {O%q^
                                                                                            • API String ID: 0-2260729532
                                                                                            • Opcode ID: ac81dcd4ede9131655befac27cd0969ebf3de74e0e3458467bd65032e4e69bf2
                                                                                            • Instruction ID: 685db9c3bea6b777b37f0af940d547297aef33e5e5b1be102b6da570f5b19d2e
                                                                                            • Opcode Fuzzy Hash: ac81dcd4ede9131655befac27cd0969ebf3de74e0e3458467bd65032e4e69bf2
                                                                                            • Instruction Fuzzy Hash: 25217F313002025B8749BB6DA994A1F76DBEBD97607848229DA09CB748EE78ED09C7D1
                                                                                            Function 0185D078 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq
                                                                                            • API String ID: 0-2756854522
                                                                                            • Opcode ID: d97285b666689f95f4f81ccfde7167821af463f19d94a12f43f3e5ee6a03675c
                                                                                            • Instruction ID: 11f0c7b86d8f410fcf458565096e25a35d79cfb5e0ef361512369bbb22c8d1ee
                                                                                            • Opcode Fuzzy Hash: d97285b666689f95f4f81ccfde7167821af463f19d94a12f43f3e5ee6a03675c
                                                                                            • Instruction Fuzzy Hash: 3611B27A7006048FDB14DB9CD884A6AB7E7FFCC360B158669D94AC7355DE31EC028B50
                                                                                            Function 0185D088 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq
                                                                                            • API String ID: 0-2756854522
                                                                                            • Opcode ID: 1f2ed6bfdd49146f467d759c76640a2289c2ffdf0efeabacd1a9a2e870cf41c1
                                                                                            • Instruction ID: 96ac1c968267f0ef24b0e916dde51bf51e4ff3cdaae421dd61dee01cde4311d0
                                                                                            • Opcode Fuzzy Hash: 1f2ed6bfdd49146f467d759c76640a2289c2ffdf0efeabacd1a9a2e870cf41c1
                                                                                            • Instruction Fuzzy Hash: 2C116D393006048FCB24DB9DD884A2ABBE7FFCC360B148569E94AC7355DE32EC028B51
                                                                                            Function 05C09FD1 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq
                                                                                            • API String ID: 0-2468842661
                                                                                            • Opcode ID: 7b008671b50f649e7396ba225b9878b3da10e59e9448e1f22d22c045caaa55b6
                                                                                            • Instruction ID: 5eebcf73dcb8cea66af720090c1b3e87aa14cd2a94307761e00aa623d69f20a5
                                                                                            • Opcode Fuzzy Hash: 7b008671b50f649e7396ba225b9878b3da10e59e9448e1f22d22c045caaa55b6
                                                                                            • Instruction Fuzzy Hash: 9D01B562B087909FC3125B39AC68A567FB15F9A210F1A01EBE085CB3E3C7549C04CB62
                                                                                            Function 05C08D28 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq
                                                                                            • API String ID: 0-2468842661
                                                                                            • Opcode ID: 0face39e2c7ba7cd216301d84493cef39cc7094e5b9ea00af23f9541ddb90c95
                                                                                            • Instruction ID: 0b4aeb59843b09f2dda3d4d07216fb2ede26e1f87163927b7e303c8bb479f940
                                                                                            • Opcode Fuzzy Hash: 0face39e2c7ba7cd216301d84493cef39cc7094e5b9ea00af23f9541ddb90c95
                                                                                            • Instruction Fuzzy Hash: 2E112A71A00215CFCB08DF28C459AA97BF6AF88710F1045A9E402EB3A0CF75AD41CBA0
                                                                                            Function 0185FB12 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq
                                                                                            • API String ID: 0-2468842661
                                                                                            • Opcode ID: 404d5351d90ed32dfe40b330db5fe22f29ef36b3e4faf8d19517433b6d2b7f2b
                                                                                            • Instruction ID: 3a6328fdbc0202bbc41f97b731254946b457ab7fc486f2997143579f289c761c
                                                                                            • Opcode Fuzzy Hash: 404d5351d90ed32dfe40b330db5fe22f29ef36b3e4faf8d19517433b6d2b7f2b
                                                                                            • Instruction Fuzzy Hash: EDF0BB767002045BC304DA9DDDD4E6BB79AEFDC760B15856EEA0DCB396C931DC068360
                                                                                            Function 05C08090 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq
                                                                                            • API String ID: 0-2468842661
                                                                                            • Opcode ID: 4f7ee64547018c40b6153217f4cca37a1a69273d71acf03fb0661bd5e7d2ebee
                                                                                            • Instruction ID: 6100802536ac7cb2c79cd12ba411e3dd25a7ed37a185431767922e701e9c99e3
                                                                                            • Opcode Fuzzy Hash: 4f7ee64547018c40b6153217f4cca37a1a69273d71acf03fb0661bd5e7d2ebee
                                                                                            • Instruction Fuzzy Hash: 10F0E5727402105FC7549A3EA858AAEBBDAEFC922071800BDE00ACB3A1CE219D028654
                                                                                            Function 05C0A020 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Tejq
                                                                                            • API String ID: 0-2468842661
                                                                                            • Opcode ID: 1c9d3f50b10f85e366a48cde7bb5d5e5306edc6b571a7174565ff742bbcba4af
                                                                                            • Instruction ID: 19d0b4d6b274fcc4c09363c3a224b6869a6615f4b740f21f103a0f9a51d74451
                                                                                            • Opcode Fuzzy Hash: 1c9d3f50b10f85e366a48cde7bb5d5e5306edc6b571a7174565ff742bbcba4af
                                                                                            • Instruction Fuzzy Hash: E4E065757501105FC7449B6EE858E5AB7DAEFCDB20B254069F109CB3A1CE61DC018794
                                                                                            Function 0185BF91 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHjq
                                                                                            • API String ID: 0-751881793
                                                                                            • Opcode ID: b6a76f3d9b5cb15b97dbe7f7c2086824099ceec4cb1863378caaf3b61f88492b
                                                                                            • Instruction ID: 7f6ca6d06e4dcf613ae22ca6cac0401aa47a2f5eca8284e2c1974ea5b2e37487
                                                                                            • Opcode Fuzzy Hash: b6a76f3d9b5cb15b97dbe7f7c2086824099ceec4cb1863378caaf3b61f88492b
                                                                                            • Instruction Fuzzy Hash: ABD02B7250430447CF144E64AD443253F5ABF41310F680168A911C62C6E635D802C7A1
                                                                                            Function 05C0645F Relevance: .3, Instructions: 345COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c0d5da16c2d7eb45ce1528c4ac3fcc27a1d61a8d3af9fe965d9e248f36f1b63e
                                                                                            • Instruction ID: bbacbcf820354fa3ddcadd08fe10c5898a0e044d581a103b103440bd5c12662f
                                                                                            • Opcode Fuzzy Hash: c0d5da16c2d7eb45ce1528c4ac3fcc27a1d61a8d3af9fe965d9e248f36f1b63e
                                                                                            • Instruction Fuzzy Hash: C6E16F74A00616CFCB04DF58C5849AAF7F2FF88310B568969E5499B3A5EB30FD91CB90
                                                                                            Function 05C06DC0 Relevance: .3, Instructions: 326COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7f557187ce58b8f3bafe9cc045f2f169bd2341c9ba986c66d4fc7fd30cea7520
                                                                                            • Instruction ID: 9fb3e72d7aa636f4e3581c5f8e72199490363ee428c77aab7bd9b710b1300ff5
                                                                                            • Opcode Fuzzy Hash: 7f557187ce58b8f3bafe9cc045f2f169bd2341c9ba986c66d4fc7fd30cea7520
                                                                                            • Instruction Fuzzy Hash: 00B1B071B006058FC714DF68C844B6EBBB2EF84320F15CAAAE5599B395DB70ED46CB90
                                                                                            Function 0185DC59 Relevance: .3, Instructions: 293COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 98b41d6af4b34058ce446679ef6bd4a37ea4981972de647b28a7682d8d70059e
                                                                                            • Instruction ID: 7472404b829512b6bdabfaf32a09735bc0f164b4f6c26057474916c3d99972bf
                                                                                            • Opcode Fuzzy Hash: 98b41d6af4b34058ce446679ef6bd4a37ea4981972de647b28a7682d8d70059e
                                                                                            • Instruction Fuzzy Hash: 1AC1E275A0120ADFCF41CF98C9808AEBBB2FF49354B248559ED05EB361D731E916CBA1
                                                                                            Function 018541E0 Relevance: .2, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 93e1adc620f63c0888aada570eeb3ba61c534b46e59eb40a06833a7d1a0517d9
                                                                                            • Instruction ID: 766b1b53b81a8020cc8536a4c9f4a984d93d9af83fd6edc363e74fb41338c7ef
                                                                                            • Opcode Fuzzy Hash: 93e1adc620f63c0888aada570eeb3ba61c534b46e59eb40a06833a7d1a0517d9
                                                                                            • Instruction Fuzzy Hash: F0A14C34B002059FC745DF69E998A6EBBE6FF88340B108529E906DB395EF75DD06CB40
                                                                                            Function 018541F0 Relevance: .2, Instructions: 247COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b81482e0501fb551fd6c5b043a649b49b6a58a5d5c42939be54d072c6bb724ca
                                                                                            • Instruction ID: d7dfcbc86dee6d2a4e5f3971fd2bba3787df39f52469616c762a7b010a7eb406
                                                                                            • Opcode Fuzzy Hash: b81482e0501fb551fd6c5b043a649b49b6a58a5d5c42939be54d072c6bb724ca
                                                                                            • Instruction Fuzzy Hash: 37914B34B002059FC745DF69E998A6EBBE6FF88340B108529E906DB395EF75ED06CB40
                                                                                            Function 01855EE0 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0431504830a44c45b2fc9dfe1e0c9edc8df4c54c65505b86988ee4b4ae3180d4
                                                                                            • Instruction ID: bcfef886e97451903031c34197ae04a91c2067ee771e10148b6d0ffea58f6348
                                                                                            • Opcode Fuzzy Hash: 0431504830a44c45b2fc9dfe1e0c9edc8df4c54c65505b86988ee4b4ae3180d4
                                                                                            • Instruction Fuzzy Hash: FA913A30B002198BCB55DF68E94499EBBF6EF88310B548629ED05DB359EB75AD06CF80
                                                                                            Function 05C01C28 Relevance: .2, Instructions: 208COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e7cedaa0d9c11f3e557795c8636ab8e5930ebc3fdc51a454a2d56de4977b5ca
                                                                                            • Instruction ID: 1204f7e79ed6e022c95d9524a592e6aa4248bc9199dc5be75cfd9f6f5fc24e27
                                                                                            • Opcode Fuzzy Hash: 0e7cedaa0d9c11f3e557795c8636ab8e5930ebc3fdc51a454a2d56de4977b5ca
                                                                                            • Instruction Fuzzy Hash: D3818D75B006099FDB04CF68C884AAEF7B6FF84310F158599E519AB3A1DB70ED42CB90
                                                                                            Function 05C00AC8 Relevance: .2, Instructions: 195COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: af08195206e6c3776fb4286a2c29c2e42ef9911c257a875e327980887b578abe
                                                                                            • Instruction ID: 3946b37e836d0dd3c7b96018964615afefcba0546b21456438799ff1e7e1089e
                                                                                            • Opcode Fuzzy Hash: af08195206e6c3776fb4286a2c29c2e42ef9911c257a875e327980887b578abe
                                                                                            • Instruction Fuzzy Hash: 4861D932B001199FCB14DFA8C894AAEB7F2FFC8310F558469E919A7395DB319D41CB90
                                                                                            Function 01856E68 Relevance: .2, Instructions: 193COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aba1fa8652bba6a14635002a29d5f80fe4ba4b7bc8da8b80b3e391009ab94480
                                                                                            • Instruction ID: 90e5f117292f130812aeff5254ba9a25ae685d0a30445b686dfd01c390a12f4e
                                                                                            • Opcode Fuzzy Hash: aba1fa8652bba6a14635002a29d5f80fe4ba4b7bc8da8b80b3e391009ab94480
                                                                                            • Instruction Fuzzy Hash: FD618F31B002058FCB44DF68D8849AABBF6FF89310764856AEA0ADB355EF71AD05CB50
                                                                                            Function 018564B9 Relevance: .2, Instructions: 155COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ef70b08a3214eb9a5936ba8a51ca1616ab0492a9ab80ee017c334f20c5874eb
                                                                                            • Instruction ID: ed9d6910ead7feb7f3e57a32ee10dfb70eb051d7f510fe44ec7c0dae873d2aa2
                                                                                            • Opcode Fuzzy Hash: 7ef70b08a3214eb9a5936ba8a51ca1616ab0492a9ab80ee017c334f20c5874eb
                                                                                            • Instruction Fuzzy Hash: 6A512C35A10619CFCB45CFA9C88499DBBF6FF89700B25856AE505EF321DB71AD05CB80
                                                                                            Function 05C02660 Relevance: .1, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7e5831bd74215a0138a54626bd0af9780817107cb2cb989c27248378d1d4d623
                                                                                            • Instruction ID: 0ea9af81eac1e6119f9f348596b7876c56f1c0e49ddd700ae70dc903e840be5a
                                                                                            • Opcode Fuzzy Hash: 7e5831bd74215a0138a54626bd0af9780817107cb2cb989c27248378d1d4d623
                                                                                            • Instruction Fuzzy Hash: 1551D175B04240AFC715DB28C894B2EBBB2EF85310F1684AAE505DB3E2DB30ED46CB51
                                                                                            Function 018561F0 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 85199dce11e30f7e85a043eb2babfa00b5515c8d1ce01eeaf44dd407d0b6cde2
                                                                                            • Instruction ID: 5f24277a2ec3fee2d1b7d7bd8de7be8426b7785c2ca01295a9a3fdab4aecef81
                                                                                            • Opcode Fuzzy Hash: 85199dce11e30f7e85a043eb2babfa00b5515c8d1ce01eeaf44dd407d0b6cde2
                                                                                            • Instruction Fuzzy Hash: 29516E30E103099FDB01DFB9E854B9DBBB5FF88300F108569E514AB254DB79A945CF50
                                                                                            Function 01858DA8 Relevance: .1, Instructions: 136COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ae6ebe8358236ed93609e7e54fb5d6292f877ba7b5f5eb22d6f8951f29983071
                                                                                            • Instruction ID: bb6a0a319edd3d000e0c169c14b5040a0beb944af75c789e2e2f951891b0aaf4
                                                                                            • Opcode Fuzzy Hash: ae6ebe8358236ed93609e7e54fb5d6292f877ba7b5f5eb22d6f8951f29983071
                                                                                            • Instruction Fuzzy Hash: 49515E70600205CFDB58DF29D8D86677BB6EF8A315B004199E915DF3A9DB30E912CF91
                                                                                            Function 05C01C18 Relevance: .1, Instructions: 136COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1f08149eedab78a9fb6daa65cce0fab66de840ec6b0c6684638ef7cffa5258dc
                                                                                            • Instruction ID: 02f9bb434e1198a6715513b771c883db8e3cf87ef237bc931f302f6cdeaa15b9
                                                                                            • Opcode Fuzzy Hash: 1f08149eedab78a9fb6daa65cce0fab66de840ec6b0c6684638ef7cffa5258dc
                                                                                            • Instruction Fuzzy Hash: 0A516575B006059FDB08DF58C885E6EBBB6EF84320F5984A8E5059F3A1DB71EC42CB90
                                                                                            Function 018561E0 Relevance: .1, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1718c338087d61a6c7a468c9c82ff36d8d989367eddbc2eaca02528241b2bb51
                                                                                            • Instruction ID: 7dc0f55dffa2b05503ab2f18e9bd03ed17c64d6e0a53cc0e00d80a155090c56c
                                                                                            • Opcode Fuzzy Hash: 1718c338087d61a6c7a468c9c82ff36d8d989367eddbc2eaca02528241b2bb51
                                                                                            • Instruction Fuzzy Hash: BD516070E003099FDB00DFA8E948BDDBBB5FF88300F108559E515AB264EB79A945CF50
                                                                                            Function 0185DAD8 Relevance: .1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7879c26de1b3901e0ccb36344f0a4cda70fd9512f40e3b388f4c80e56a99fe58
                                                                                            • Instruction ID: 22221746433ff1b6d2680dbe887c4b7265d0be91dfeacda859e78a94ea6b7e76
                                                                                            • Opcode Fuzzy Hash: 7879c26de1b3901e0ccb36344f0a4cda70fd9512f40e3b388f4c80e56a99fe58
                                                                                            • Instruction Fuzzy Hash: 8F412938B00209DFDB54DB9CC5809AA7BF6EBCC314B548195ED06CB365DB71EE028B52
                                                                                            Function 0185E5E8 Relevance: .1, Instructions: 112COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a6688b5f2a13915b9774e039ea396f074f9b23a0c666f73914ac84e0ed7b7afc
                                                                                            • Instruction ID: 036b35b90db56ce52eeee5945ec2dffcad718ffb94abc5ac2dfaefeaee5079e3
                                                                                            • Opcode Fuzzy Hash: a6688b5f2a13915b9774e039ea396f074f9b23a0c666f73914ac84e0ed7b7afc
                                                                                            • Instruction Fuzzy Hash: 72418F316005058FCF58DF29D8D865ABBB5EF89354B0481A9EC11DF2E9DB30EA52CF91
                                                                                            Function 01854CA8 Relevance: .1, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4d393bb46b1bde3cd4570662e96c690c9cc9cbaf81b6d28b23773bd75db3874c
                                                                                            • Instruction ID: 12cccc5a4b902ca90868cd3f565be2235e13e28f82189881fe6755577b78f8b1
                                                                                            • Opcode Fuzzy Hash: 4d393bb46b1bde3cd4570662e96c690c9cc9cbaf81b6d28b23773bd75db3874c
                                                                                            • Instruction Fuzzy Hash: 6831AE30B001068FDB589F69C498AAEFBF6EF8A344F104469D906E7394EB70DD448B91
                                                                                            Function 01850A10 Relevance: .1, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f19a8e5a6ef7837b610b503c128c592d71f6e298e1d5dccebf376ae3d0be50b5
                                                                                            • Instruction ID: 700bcd175217b2454eb6ba5b1d2913f92be438a9471ea88892bb7b7c4d58f672
                                                                                            • Opcode Fuzzy Hash: f19a8e5a6ef7837b610b503c128c592d71f6e298e1d5dccebf376ae3d0be50b5
                                                                                            • Instruction Fuzzy Hash: 12416E74E012199FDB58DFAAD980AAEBBF2BF88300F14812AE814B7354DB345941CB50
                                                                                            Function 01857158 Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 83ce0f60a33bda508a4d273394dedd86ba8952e50d72e5bb3cfbfa0fe47b51c4
                                                                                            • Instruction ID: 993d20a7f71b68cf49e99aa0d35d7be860e6cc6a292daedce9c8c13a743c7f5f
                                                                                            • Opcode Fuzzy Hash: 83ce0f60a33bda508a4d273394dedd86ba8952e50d72e5bb3cfbfa0fe47b51c4
                                                                                            • Instruction Fuzzy Hash: AF317C31B102048FDB54CF68C498AAEBBF6EF89350F548469E806EB360DB31EE05CB50
                                                                                            Function 05C02C81 Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 919c45375e41ecb4c4adc3aac5200fbee25f5666125e712f84d695ae9a54c587
                                                                                            • Instruction ID: eff31ef826e98b51ac54a106c28ab18e9b7189befd7e5d679baefdbb3a05b8cf
                                                                                            • Opcode Fuzzy Hash: 919c45375e41ecb4c4adc3aac5200fbee25f5666125e712f84d695ae9a54c587
                                                                                            • Instruction Fuzzy Hash: 3E310676E002099FCB04DFA9C9849EEBBF6FB88310F158469E519B7350DB34AD41CBA0
                                                                                            Function 05C096D1 Relevance: .1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 24206a687064cc1de86f3c561995bd99261bdcac81582affd7cfbcfc7a321256
                                                                                            • Instruction ID: 183d2588beb6c7906f39568128a29582efe076e48f1fae0adb363f1fc6e77adc
                                                                                            • Opcode Fuzzy Hash: 24206a687064cc1de86f3c561995bd99261bdcac81582affd7cfbcfc7a321256
                                                                                            • Instruction Fuzzy Hash: 1F310535704244CFC715DB38D848A2EBBF6AF85200B19C8AEE149CF3A2CA31EC05C751
                                                                                            Function 01859140 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d2b53c5e9fbd85a1bf286b60cdfc10972d8d5dd161fd9c9dfb5b0bea11ec321d
                                                                                            • Instruction ID: 57c9664d8b6386eb32ffc14ef1317b8d0f439591c65c7d985b831bf3aa275014
                                                                                            • Opcode Fuzzy Hash: d2b53c5e9fbd85a1bf286b60cdfc10972d8d5dd161fd9c9dfb5b0bea11ec321d
                                                                                            • Instruction Fuzzy Hash: 02311B34A00705CFC770DF2AC84866AB7F6EF89354B144A68D866DB6A5D730EA46CF80
                                                                                            Function 01858FC0 Relevance: .1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5ffcb978a91ef00cd938461d33d85e980e66a66addf3ee261a0983ea17cb7139
                                                                                            • Instruction ID: 2a875b444d56007c1be7de82d7edac0b7a91f4f5c0724a7a03e03c9a7b6002fd
                                                                                            • Opcode Fuzzy Hash: 5ffcb978a91ef00cd938461d33d85e980e66a66addf3ee261a0983ea17cb7139
                                                                                            • Instruction Fuzzy Hash: ED312970A00605CFC770DF2AC84466AB7F6EF89324B104A6CD996DB7A5D731EA46CF80
                                                                                            Function 05C03198 Relevance: .1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d8be5bff253997d5274e62c437735176d81fadb29a102093fbb6ade79f557257
                                                                                            • Instruction ID: 5a41ba8f3fabf6ae215242c81f6ad1d979de40a9e5b22965b8557f2aa58f2c97
                                                                                            • Opcode Fuzzy Hash: d8be5bff253997d5274e62c437735176d81fadb29a102093fbb6ade79f557257
                                                                                            • Instruction Fuzzy Hash: 2A319C75604109AFDB65CF54D884FAF37BAEB89700F008A28E806DB696D731ED50CBA0
                                                                                            Function 05C04A4A Relevance: .1, Instructions: 80COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5c8631e209ded15c8f500ffd10a53e3cba369fc55d191ca7c14464d68af2301a
                                                                                            • Instruction ID: 625f3f9079ed1d07dcd4c0cac59ca26802ebca2647fe0417831d061b210dff5e
                                                                                            • Opcode Fuzzy Hash: 5c8631e209ded15c8f500ffd10a53e3cba369fc55d191ca7c14464d68af2301a
                                                                                            • Instruction Fuzzy Hash: 48212735B003059FCB05EB28F8449AE7BBAEFC5220B148569D50197354EF74EC46CBE0
                                                                                            Function 018592B8 Relevance: .1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0dea8e791de98056f2757ff60acff66bb5172161b9ea64bed754132e4778cab0
                                                                                            • Instruction ID: 47ee37fbcedfba02c6e71eeae5ff3ab436cda4968e5ef1c4c9dbd89d8ad26752
                                                                                            • Opcode Fuzzy Hash: 0dea8e791de98056f2757ff60acff66bb5172161b9ea64bed754132e4778cab0
                                                                                            • Instruction Fuzzy Hash: 62216F30A05705CFD774DF29D9446AABBF9EF89314B042A2CD956C72D5D730EA04CB90
                                                                                            Function 05C02859 Relevance: .1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2e1d203a25d47c65ae58a0be60fad5d32e85ce42975aa968a0477412b90949b7
                                                                                            • Instruction ID: 111142cbb26ea51a2927d1a87853e8dd4eee8fb87c172c3bc92ac6b97aa0bae4
                                                                                            • Opcode Fuzzy Hash: 2e1d203a25d47c65ae58a0be60fad5d32e85ce42975aa968a0477412b90949b7
                                                                                            • Instruction Fuzzy Hash: DC21F67A704701ABD7189B65DC58B2DBBA6FBC8321F104A29F51AC73C4DB30B941CB90
                                                                                            Function 018553C8 Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4fdcf171c7f7fe0edacb2fd3197128991ebe482baa770ba55522a05abc8dc40d
                                                                                            • Instruction ID: 106aeb34c45f6f41537305700c5ac234e25cede4954eae25e056cfc8e219451c
                                                                                            • Opcode Fuzzy Hash: 4fdcf171c7f7fe0edacb2fd3197128991ebe482baa770ba55522a05abc8dc40d
                                                                                            • Instruction Fuzzy Hash: 17219F71600105CBCF68CF28D9C499A7F79EF48321B044165DD15DF29ADB31DA51CFA0
                                                                                            Function 01850A00 Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 537a3c5b4816b4a392217633f3aa80121b3f28f814af45c8e09076951ecafed3
                                                                                            • Instruction ID: cbc7736fa4e2dc546da9cdbdf13b11f97d2756523dfce73f2c8e43c0509e2172
                                                                                            • Opcode Fuzzy Hash: 537a3c5b4816b4a392217633f3aa80121b3f28f814af45c8e09076951ecafed3
                                                                                            • Instruction Fuzzy Hash: 55211374E052188FDB49CFAAC8506DEBBF2AF89300F14C06AD814AB264DB744A06CF50
                                                                                            Function 05C08E00 Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ecefc2a96027139c57f528948a169f78415fc3e10b7c808bc3859a95d14efe9b
                                                                                            • Instruction ID: a8c9adfcdeb39522536e59f4b6164c2f8deb2d058e35f094e87a3d5791b749c8
                                                                                            • Opcode Fuzzy Hash: ecefc2a96027139c57f528948a169f78415fc3e10b7c808bc3859a95d14efe9b
                                                                                            • Instruction Fuzzy Hash: 82213975A00104DFCB44DFA5C995AAEBBF2FF88220F649469E505AB3A5DB30AD41CB60
                                                                                            Function 05C08E10 Relevance: .1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bcfd740c8a6474e544e6546153d59dda1a81895a415fb3172a77c77cefee1b37
                                                                                            • Instruction ID: d7bcfbd32c06d1ac0b829f84983bc93a5be587595f1157fe3836af3d0b7d3c09
                                                                                            • Opcode Fuzzy Hash: bcfd740c8a6474e544e6546153d59dda1a81895a415fb3172a77c77cefee1b37
                                                                                            • Instruction Fuzzy Hash: 0D212934B001049FCB44DF69C995AAEBBF6FF8C320F649069E505AB3A0DB31AC41CB60
                                                                                            Function 01854E70 Relevance: .1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9ed01875fa1539ac81755fc876a9e3b2f0901927fccf50494722d4ae73c2bb76
                                                                                            • Instruction ID: dc03bcb6e00890127a0aaa66221b223e4c2528500775c1c91cdebc956ed3df6d
                                                                                            • Opcode Fuzzy Hash: 9ed01875fa1539ac81755fc876a9e3b2f0901927fccf50494722d4ae73c2bb76
                                                                                            • Instruction Fuzzy Hash: 8E2151312007058FC734CF2AD948996BBF5EF44320B004B2CE5529B6A1EB31FA89CF80
                                                                                            Function 01857253 Relevance: .1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f61acf23dff78a6b04dfd4351784b5eef1fd38ac81e1421846915f34168f24ad
                                                                                            • Instruction ID: d42b259ad308c8235284f06ec06c551ba60e6251e2bfffa74f9213d882da9a45
                                                                                            • Opcode Fuzzy Hash: f61acf23dff78a6b04dfd4351784b5eef1fd38ac81e1421846915f34168f24ad
                                                                                            • Instruction Fuzzy Hash: B1110330A042048FC710CF19D89465ABFF6EF89344F64846EE90ADB351DB329E06CFA1
                                                                                            Function 05C07F30 Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4c6532afcb97294dd37becc0d40101b5cd6f00a80d4c7f43b30a612f15c482bd
                                                                                            • Instruction ID: 1a83e597b4fff2fd22ebca9dbb113c72d2ea12b62d3f75d706a0b6f3cf06694c
                                                                                            • Opcode Fuzzy Hash: 4c6532afcb97294dd37becc0d40101b5cd6f00a80d4c7f43b30a612f15c482bd
                                                                                            • Instruction Fuzzy Hash: E3118E36700A058FC728CB18C680866F7E2FF44365729CA66E46AC7781E730FC438B90
                                                                                            Function 05C097C8 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 69c6d65802d95519dea59772d0d7fd5087dedee7c935620a0fb819867790bfb7
                                                                                            • Instruction ID: 8211c01ac609f61f3333002b1704246ce6a9d011de071fbf95d35b7cbb6e075f
                                                                                            • Opcode Fuzzy Hash: 69c6d65802d95519dea59772d0d7fd5087dedee7c935620a0fb819867790bfb7
                                                                                            • Instruction Fuzzy Hash: 9601A536F001198FCB10DAA9ED496BEBBB9FB88611F144521E915F3380DB305A018B92
                                                                                            Function 05C07A70 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a31c625c591cca49953ffc7c83d26c1caaaae0a2f144a903847c9acabc25ea52
                                                                                            • Instruction ID: 204ed781a755da9b3a86230cc72a3073ae7d1883025a74fc8e3e8dd397ffec3b
                                                                                            • Opcode Fuzzy Hash: a31c625c591cca49953ffc7c83d26c1caaaae0a2f144a903847c9acabc25ea52
                                                                                            • Instruction Fuzzy Hash: 7E11AB72B052496FCB059B6988558BFBFA6FF8521076480A9D509CB291EB30ED0AC7A0
                                                                                            Function 01850839 Relevance: .1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 74e92e41d49c28b30e4be633709db09075ccc94df358c287a85d0232c3a8312e
                                                                                            • Instruction ID: c8f835070e3f67ad822626bea21690885ffcc7ebf6fb30635cc281a9850afc33
                                                                                            • Opcode Fuzzy Hash: 74e92e41d49c28b30e4be633709db09075ccc94df358c287a85d0232c3a8312e
                                                                                            • Instruction Fuzzy Hash: B6113D74E0020A9FCB44DFA8D954AAEBBB1FF89300F10846AD918E7395DB35AA05CF51
                                                                                            Function 01850848 Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9d0d3112fd93388c639d22e78bfa5c397b5ec6beff9df5c70e7c2982f4980ae3
                                                                                            • Instruction ID: 4605a0ab6456e3f6d80052eeec99859432cacdb2e2052254bbb2d63956cf2c77
                                                                                            • Opcode Fuzzy Hash: 9d0d3112fd93388c639d22e78bfa5c397b5ec6beff9df5c70e7c2982f4980ae3
                                                                                            • Instruction Fuzzy Hash: CA112E74E0020A9FCB44DFA9D9449AEFBB1FF89300F108469D915E7354DB34AA01CF51
                                                                                            Function 05C09748 Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d9a7a33bf3de9bf46804771e1b7d275cb0d32e207e4abc79c3f5ae579b74f90b
                                                                                            • Instruction ID: 602248995e1be70ee0ac44d376cb125b8a9d58b259a6b63279610b1d7d337412
                                                                                            • Opcode Fuzzy Hash: d9a7a33bf3de9bf46804771e1b7d275cb0d32e207e4abc79c3f5ae579b74f90b
                                                                                            • Instruction Fuzzy Hash: 5B011A367002109FC758DB79D988C2EBBEAEFC921431985B9E509DB365CE31EC018B90
                                                                                            Function 017FD01D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2051845210.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_17fd000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2ecbf82e586c45b3e598500284a89e76cf3f3c5f7a9d8cad2721bb26755cf19f
                                                                                            • Instruction ID: 2d627c1bdcd1ebbddd25c5669a9c25f9048f952aee25ef8af3cbe1f1ce58cd6e
                                                                                            • Opcode Fuzzy Hash: 2ecbf82e586c45b3e598500284a89e76cf3f3c5f7a9d8cad2721bb26755cf19f
                                                                                            • Instruction Fuzzy Hash: 4401F731504300DAE7308AA9C984B67FF9CEF463A4F18C56EEF490B386C2799805C6B1
                                                                                            Function 05C07A5F Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0c7e849445910b50117b6bec5d09bb65ea464c4671f4efa6fb946597a15f6668
                                                                                            • Instruction ID: 95f0769225b6823cf065d73a48dacf8979fd6446036b7b59ebb81f7820dff7ba
                                                                                            • Opcode Fuzzy Hash: 0c7e849445910b50117b6bec5d09bb65ea464c4671f4efa6fb946597a15f6668
                                                                                            • Instruction Fuzzy Hash: 3EF02D76B001099FDB04DB54DA449ABBBA6FFC8311B35C039E50897390EB30AE07C760
                                                                                            Function 05C03BA1 Relevance: .0, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ec529e9aee13662305a727503f28ad2e1e61d180d5ada3be2c0763d631771a2
                                                                                            • Instruction ID: debe3578abc9fc3724b39f30b39e408690dc6e41cc0493ae7e4f165bca32b745
                                                                                            • Opcode Fuzzy Hash: 7ec529e9aee13662305a727503f28ad2e1e61d180d5ada3be2c0763d631771a2
                                                                                            • Instruction Fuzzy Hash: 56F0C27230530057C315965DA884E1BFBAAFBC0BA0319082DD40987380FE69EC00C790
                                                                                            Function 05C049E0 Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f4f22da806ccba4772e27039ddc9f63d1993179157f78ddbc5707c98df5bdd48
                                                                                            • Instruction ID: 17738ae240c20fd4624f2e963f61d858bcb301fe955c550ea951e3248173d9a8
                                                                                            • Opcode Fuzzy Hash: f4f22da806ccba4772e27039ddc9f63d1993179157f78ddbc5707c98df5bdd48
                                                                                            • Instruction Fuzzy Hash: A4F059323042008FD7085F39E544729B7D6EF84260F24453DD404833A6CE39CC428781
                                                                                            Function 017FD01C Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2051845210.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_17fd000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 14d2a29f1e1936382594e159d696e65b65ffb7b4b1aee0c3e804b61715692174
                                                                                            • Instruction ID: efa626d4c4211ce9362c21694cdbb51f397381da3236d4450fc60ece831eed07
                                                                                            • Opcode Fuzzy Hash: 14d2a29f1e1936382594e159d696e65b65ffb7b4b1aee0c3e804b61715692174
                                                                                            • Instruction Fuzzy Hash: EBF0C271404344AEE7218A1AC884BA7FF98FF42264F18C55AEE480B386C2799845CAB0
                                                                                            Function 018518C8 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5debf2835e1fdfe92bab034b5b87d6bb712bbb43aab1609df54c50dae1669976
                                                                                            • Instruction ID: 209c051d0ec832a471ece99a064b174970243a5bae131603aed541a02e568327
                                                                                            • Opcode Fuzzy Hash: 5debf2835e1fdfe92bab034b5b87d6bb712bbb43aab1609df54c50dae1669976
                                                                                            • Instruction Fuzzy Hash: 4FF0C8303016414BC757973DB428A5E7B66EF8A750305406ECD59C7747DA2ADE05CB82
                                                                                            Function 05C03BB0 Relevance: .0, Instructions: 34COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1a83c7cac5332e2b3e754f218164673abfd8292c59da9aa3ba0534cfae4b6532
                                                                                            • Instruction ID: 3d630225552f3b357bcaef5ba260e719cc69cca8d760631e8014da8a990588c8
                                                                                            • Opcode Fuzzy Hash: 1a83c7cac5332e2b3e754f218164673abfd8292c59da9aa3ba0534cfae4b6532
                                                                                            • Instruction Fuzzy Hash: 5FF05E31301315578614A66EA885D5BBBAEFBC4BA0314482DE509C7354FE69ED058BA4
                                                                                            Function 01855961 Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9b0326ec14af92bb87896798fe003311c0a08c7f6b1dfbfcc9c6cacda422b35d
                                                                                            • Instruction ID: 29f72d69b591bd89d05601b004015c515b4bed3147107d9e7abcd2f16a2a9047
                                                                                            • Opcode Fuzzy Hash: 9b0326ec14af92bb87896798fe003311c0a08c7f6b1dfbfcc9c6cacda422b35d
                                                                                            • Instruction Fuzzy Hash: 36F0EC6294E3D48FE30383286CA04903F74CE27209B0A42C7DC84CB1B3E11C8E0DD762
                                                                                            Function 018518D8 Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: df0243eef108a62f8a648d73f3d4c2257c4575d12c1a7e815ffe0170a21b7f98
                                                                                            • Instruction ID: 02c6cb46d983e02388a6518919d69eec343ecfd7b186528d7fc6955741461997
                                                                                            • Opcode Fuzzy Hash: df0243eef108a62f8a648d73f3d4c2257c4575d12c1a7e815ffe0170a21b7f98
                                                                                            • Instruction Fuzzy Hash: A6F0A7313016054B87ABE62DB81CA5F77AAEBC9751300802DDD4AC7345DF2DEE058BD1
                                                                                            Function 0185BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a5909658a56237d4fc3217e822a41ce43038ba3354488ba9f60eca63243ad6ca
                                                                                            • Instruction ID: aec5966301b0b7aab9e1c7df3f3511aa79898fbf770f308657d2ed0980d58033
                                                                                            • Opcode Fuzzy Hash: a5909658a56237d4fc3217e822a41ce43038ba3354488ba9f60eca63243ad6ca
                                                                                            • Instruction Fuzzy Hash: 2BF03070D0020ADFDBA4DFADC84566EBBF1EB14320F204659D924E7391D77186418F91
                                                                                            Function 0185BEB1 Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a8af31334f4d7a86001a04ceedcdcbfaf6dd9b7b02d5a6a82fdd7c0125a7e86d
                                                                                            • Instruction ID: 68f19aa674ef8b0102fd8ded360a6198580ae883076d1e4b7a247c0c3f344fa2
                                                                                            • Opcode Fuzzy Hash: a8af31334f4d7a86001a04ceedcdcbfaf6dd9b7b02d5a6a82fdd7c0125a7e86d
                                                                                            • Instruction Fuzzy Hash: 9CF06D70D00246DFDB64CF6DC485AAE7FB1EB15334F284699E520DB395C77592428F90
                                                                                            Function 0185BF38 Relevance: .0, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 998d6cca21fab9acfe1184de28d82e16fa3e87a4c0dfb0a97e157b7ed9cd8094
                                                                                            • Instruction ID: f64d48b40c43579123d36ae655805d5746a65e0645394007aff17a755a8d0fbd
                                                                                            • Opcode Fuzzy Hash: 998d6cca21fab9acfe1184de28d82e16fa3e87a4c0dfb0a97e157b7ed9cd8094
                                                                                            • Instruction Fuzzy Hash: 6CF0F870D042099FCB90DFA8D545AAEBFF1EB08314F1006A9E918E3291D77196408FC1
                                                                                            Function 01850E70 Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: da730b67b58d082c148730b98aa6f994ff44b02e415be6dfcb5297d821b57c57
                                                                                            • Instruction ID: 83f2538a363e5cf0472b1e38e1ae4391e6cffa7a481c88745984f700c1534947
                                                                                            • Opcode Fuzzy Hash: da730b67b58d082c148730b98aa6f994ff44b02e415be6dfcb5297d821b57c57
                                                                                            • Instruction Fuzzy Hash: 40E06530505248EFC752EB78EC5954D7FB9DF46301B1544DAD908DB162DA324E04DB51
                                                                                            Function 05C02820 Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9d345fa35679d39ddc229a1c3a8c742cf7c6ed0f633091a32bc2fa88786ceba0
                                                                                            • Instruction ID: 16a612a50bbadaabf352245781294a446f3c409df82db1c25fe44acaa081a3df
                                                                                            • Opcode Fuzzy Hash: 9d345fa35679d39ddc229a1c3a8c742cf7c6ed0f633091a32bc2fa88786ceba0
                                                                                            • Instruction Fuzzy Hash: DAE0863174275077C3265615AC05F1ABBAAEBCAF10F64406DF5095B780CF65BC02C794
                                                                                            Function 05C07FA0 Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07ec5a83d75c9876c87e6b744e91813650cce6522ad73f90ea3fc9dbe650a5ba
                                                                                            • Instruction ID: 134ab35dc9658581de7430773e03d8db10008fcbb4dc203e0e6ba436c9dbda8e
                                                                                            • Opcode Fuzzy Hash: 07ec5a83d75c9876c87e6b744e91813650cce6522ad73f90ea3fc9dbe650a5ba
                                                                                            • Instruction Fuzzy Hash: 2AE08C36B011155B8B18811D9941965B6CAE7492B4B3CAA71F828C73C0FA21EC0387E0
                                                                                            Function 0185BF29 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 396d06547ac642de9318af9d2d24a5b6dc7c881642927d51227f1b7e70c112bb
                                                                                            • Instruction ID: 2e3feb98b38cf748ca8c947c5a0bc79df03df56935d419943229519f9d88e226
                                                                                            • Opcode Fuzzy Hash: 396d06547ac642de9318af9d2d24a5b6dc7c881642927d51227f1b7e70c112bb
                                                                                            • Instruction Fuzzy Hash: 60F05E70D0460ADFDB54DF6CC985AAEBFF1EB04320F100A99E414E3291D7719241CF80
                                                                                            Function 05C07110 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 831f087cc8a20e468204f90c074b3d902e1a646b1e868a626001a4eac9565623
                                                                                            • Instruction ID: e0c5b02f4c892226d4d918530f80025258f038c0549d8555a5d094e36ff00319
                                                                                            • Opcode Fuzzy Hash: 831f087cc8a20e468204f90c074b3d902e1a646b1e868a626001a4eac9565623
                                                                                            • Instruction Fuzzy Hash: 8AE0D832711650CFC7099B34A61425A37D29B8921170A04FDE409DB351EF31FC02CFA0
                                                                                            Function 0185D708 Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3c190e7dc9cc8d5ca25ebaff52d2be514a520bc872635451584ecfa97cc39b47
                                                                                            • Instruction ID: 03ddb82aacfa6bdc1d9db01866d738a7f57318ec822bd2d405a37a1408127397
                                                                                            • Opcode Fuzzy Hash: 3c190e7dc9cc8d5ca25ebaff52d2be514a520bc872635451584ecfa97cc39b47
                                                                                            • Instruction Fuzzy Hash: 26E09A70E443499FCB14CBA8D881A9DFFF0AF65311F1102EAD5549B3B2EA345A46CB84
                                                                                            Function 05C035AF Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c9018bf2ffed8f9bb4e9e176f798481cee9452983e49c2e4012e2014e8adb780
                                                                                            • Instruction ID: 2126eeddd36cf5e1d147617a51cc9cc2587125493d12335b87290e6fcb29dbc0
                                                                                            • Opcode Fuzzy Hash: c9018bf2ffed8f9bb4e9e176f798481cee9452983e49c2e4012e2014e8adb780
                                                                                            • Instruction Fuzzy Hash: 78E04F72A0110C9BCB40DFA8EA4969DB7F1FB84321B2201AAC40CD7240EA325E419B10
                                                                                            Function 0185D718 Relevance: .0, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 67a2a144e3ab09faa555683aa9616004e2ad1dff47c964993b9e870773d669ff
                                                                                            • Instruction ID: b0a7ffb1757cbd78552997f65fa08b4a406b89c2a9e405a17d0d4983daca9132
                                                                                            • Opcode Fuzzy Hash: 67a2a144e3ab09faa555683aa9616004e2ad1dff47c964993b9e870773d669ff
                                                                                            • Instruction Fuzzy Hash: D8E09A74E0430CAFCB44DFA8E54559DBFB5AF48300F0085A9D40997354EA345A05CF85
                                                                                            Function 01855910 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5b6c146a4d296faf858f5d474ca32c0526c50866f14561819a642cf0f3469b54
                                                                                            • Instruction ID: 0fe7f0d8e514ae9d9b4662d0652e874ade258704945795597c04735c8b7673b7
                                                                                            • Opcode Fuzzy Hash: 5b6c146a4d296faf858f5d474ca32c0526c50866f14561819a642cf0f3469b54
                                                                                            • Instruction Fuzzy Hash: D8E08C71A41009EFCB00DFA4FA81A9CBBB1FB0C205F1006ADD9089B314EB321E04CB81
                                                                                            Function 01850E80 Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: af0481e32897d75a04d9ab5db43c45410ccbecb79fb6cd300271328bd8ac6469
                                                                                            • Instruction ID: 0defe7881cad1d1f627efdfb7bd0eb7f784a85fbea5757b6e4b26abca0f265eb
                                                                                            • Opcode Fuzzy Hash: af0481e32897d75a04d9ab5db43c45410ccbecb79fb6cd300271328bd8ac6469
                                                                                            • Instruction Fuzzy Hash: A5D05E30A4120CEFCB50EFACF90495EB7F9EB45200B1041ADDA09D3304EA326F04DB90
                                                                                            Function 01855920 Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8772353fc4bee8b4de27fa63d8e429573796829c5fedf945307f3526eee8a024
                                                                                            • Instruction ID: 4da2066c9fdbfe286673c180a2a2599652a93c6e73851d9e5c90c427b7fdaa10
                                                                                            • Opcode Fuzzy Hash: 8772353fc4bee8b4de27fa63d8e429573796829c5fedf945307f3526eee8a024
                                                                                            • Instruction Fuzzy Hash: 91D01731A0110DEFCB00EFA9EA4695EBBF9EB49200B1046A9D908D3200EA326E049B90
                                                                                            Function 05C035C0 Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a258fedd807bb73ccb06fa60a7809cd82d10af423f4af5334bde0c311c68a1f8
                                                                                            • Instruction ID: 7689455b9968ff25371e6313587e4bfca7d903012529239b0435fa67bb245d09
                                                                                            • Opcode Fuzzy Hash: a258fedd807bb73ccb06fa60a7809cd82d10af423f4af5334bde0c311c68a1f8
                                                                                            • Instruction Fuzzy Hash: 83D01730A0120DEF8B40EFA8EA4595DBBB9FB44210B1041ADD508D3210EA316F009BA0
                                                                                            Function 0185D6E0 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 48ece31e9d0a13be5042617ccb667169588e0decf43293a52d1298582c6f876e
                                                                                            • Instruction ID: dc3c69ec341efd69c1efaf64e95e6c4ebeee4165d930deba699d6482407a7687
                                                                                            • Opcode Fuzzy Hash: 48ece31e9d0a13be5042617ccb667169588e0decf43293a52d1298582c6f876e
                                                                                            • Instruction Fuzzy Hash: 61C012B2E057048FC310CED49A82255B6509F65302F0205D7DA084B362D5228D104781
                                                                                            Function 018519E0 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6f931c5e63ad08241088f30f527f38e3c5ad1cea00be91eced8ce6a71c20f724
                                                                                            • Instruction ID: 9aa7967d82008fd235b69eaea704c14f14a9ba8815b164c161b1e369c8649576
                                                                                            • Opcode Fuzzy Hash: 6f931c5e63ad08241088f30f527f38e3c5ad1cea00be91eced8ce6a71c20f724
                                                                                            • Instruction Fuzzy Hash: CBC04CBA61000477CB44CE30CDA5B52B765EB96209F78C899E805CB3C1EA23FA038640
                                                                                            Function 05C09A4F Relevance: .0, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8708f3acaf540246cbcc40a40a4cc4885d8432f03a3241a085dea8fa969e4ff8
                                                                                            • Instruction ID: 1dce122b9df0f278fcc39e8a5c68d07fa0e8e8161df138865f3cb62809891376
                                                                                            • Opcode Fuzzy Hash: 8708f3acaf540246cbcc40a40a4cc4885d8432f03a3241a085dea8fa969e4ff8
                                                                                            • Instruction Fuzzy Hash: 3DD09E7184411ACBDB148F81C5597EE7F70BB04314F241C15D001661C1C7750185CFD0
                                                                                            Function 05C09A6B Relevance: .0, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c9a2b72e506225a9901e2af56c8596b55e5cc1789b8c5659dd5bbb3fecc4f603
                                                                                            • Instruction ID: bff84403fa3243621aeffade6de40aaad53f417c61a1a9b878b2c596f48d2ca9
                                                                                            • Opcode Fuzzy Hash: c9a2b72e506225a9901e2af56c8596b55e5cc1789b8c5659dd5bbb3fecc4f603
                                                                                            • Instruction Fuzzy Hash: 1ED0927184421ACFEB208F81C5597EEBFB1BB04314F282C19D002A62C2C7B90289CFD4
                                                                                            Function 05C09A17 Relevance: .0, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5ae57f49f965cb3a3c056a51216744a4e6fc5b3f3e1c381179c770fb5620e393
                                                                                            • Instruction ID: 8be0f4cf62c24674042a1188776c0e38ffec5a5e6f762ccd729ba72d812f5c67
                                                                                            • Opcode Fuzzy Hash: 5ae57f49f965cb3a3c056a51216744a4e6fc5b3f3e1c381179c770fb5620e393
                                                                                            • Instruction Fuzzy Hash: CAD0927184421ACBEB208F81C459BEEBFB0FB04314F286C19D102A62C1CBB90289CFD0
                                                                                            Function 05C09A33 Relevance: .0, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a07cb6438bb6f4931662f69a6942c62ab06cd391dc9c15137148f60336b476b4
                                                                                            • Instruction ID: d0e4d98b5d50f83c48aed9f2787f87d8ae56ffdd772e061659064bd77afee5c5
                                                                                            • Opcode Fuzzy Hash: a07cb6438bb6f4931662f69a6942c62ab06cd391dc9c15137148f60336b476b4
                                                                                            • Instruction Fuzzy Hash: 26D0927184421ACBEB208F81C4597EEBFB0BB04314F282C19D002A62C1C7B90289CFD0
                                                                                            Function 01859D98 Relevance: .0, Instructions: 10COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 68ace324a1bfd3b3670ae7df7671135154ebebe1208695304d8dab910bfe4047
                                                                                            • Instruction ID: 92d9a1f4e9cae99d569ebb43026d37011ad3ab1db28b38ce80c7d41faf80c9ff
                                                                                            • Opcode Fuzzy Hash: 68ace324a1bfd3b3670ae7df7671135154ebebe1208695304d8dab910bfe4047
                                                                                            • Instruction Fuzzy Hash: 5CC0123222D3854FDB027F6CB475C083F34DB11121B0103A5A425890F6E79D5948E719
                                                                                            Function 0185D6F0 Relevance: .0, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cf5af02d3c57347f952b795045ee02fb0e0c418f4975e92e78d9310c20f4aed6
                                                                                            • Instruction ID: f20cb4aa20cc7514c28073ab89714ffbcaf638a3f9660a7aa76e52c23cd2b014
                                                                                            • Opcode Fuzzy Hash: cf5af02d3c57347f952b795045ee02fb0e0c418f4975e92e78d9310c20f4aed6
                                                                                            • Instruction Fuzzy Hash: 9EB0927094530CAF8620DA99A90285ABBACDA0A210B0005D9EA098B320D972A91056D1
                                                                                            Function 01859D70 Relevance: .0, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c3587b9cb5fb427e857e49e07fc5786c206b66a97d03f8c640ead2e0e3ee2dca
                                                                                            • Instruction ID: 56c10184d13cc00a456d4820d55a39c7bc99f3b8ba97f94beacb41387d73721b
                                                                                            • Opcode Fuzzy Hash: c3587b9cb5fb427e857e49e07fc5786c206b66a97d03f8c640ead2e0e3ee2dca
                                                                                            • Instruction Fuzzy Hash: F8C012A1A046404BDF009768A8A9BAE3A70AB64379F0903AEC8A00F1D3E354990CAB41
                                                                                            Function 05C01BF6 Relevance: .0, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cbeb4d9789a319da04ccebfbeac31237a84c97a61b131320423a20b1c5da1434
                                                                                            • Instruction ID: 1fa096b34d12185c260f417e809336548945b56b2f44f5aee0bb68b927d7111f
                                                                                            • Opcode Fuzzy Hash: cbeb4d9789a319da04ccebfbeac31237a84c97a61b131320423a20b1c5da1434
                                                                                            • Instruction Fuzzy Hash: 6FC04C36A0101D8B8F00DB84F4554DCF731FB84225B204162D515635009A3529178B90
                                                                                            Function 01859DA8 Relevance: .0, Instructions: 7COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2052066547.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_1850000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5a1c43c30a629470c8d1ca83e41bd8854da17a0894c414469d07a46ca1d0d7c5
                                                                                            • Instruction ID: b20d4034a49e4949c4e395615fce7ae8ab435c0ed0f09fea7f52a44edb42918d
                                                                                            • Opcode Fuzzy Hash: 5a1c43c30a629470c8d1ca83e41bd8854da17a0894c414469d07a46ca1d0d7c5
                                                                                            • Instruction Fuzzy Hash: 64B0123107471F4FC6407B58F45AD183B6CEA44205B400120B90D09435BF6C7C489788
                                                                                            Function 05C03CB0 Relevance: .0, Instructions: 7COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3a538959e3b257ee4b294f84852ad0ef3a84f502fb020f21b7b175e0b01238e0
                                                                                            • Instruction ID: ee59852143a74624df781abf53332453b8e459feffa50e2c7f405c7c306c7132
                                                                                            • Opcode Fuzzy Hash: 3a538959e3b257ee4b294f84852ad0ef3a84f502fb020f21b7b175e0b01238e0
                                                                                            • Instruction Fuzzy Hash: 80C02BF15089004FC700CF50CC29306BB216BE0341F22C019E0846B3C5E730DC01CB52
                                                                                            Function 05C0A071 Relevance: .0, Instructions: 7COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d4db38f97f5a06c7ea743d489175889f6287ab4700bc129c551de92c0bb21778
                                                                                            • Instruction ID: abf532617452020b5148d4403f232b50b052b984f33301bc36dbb4ee3e101293
                                                                                            • Opcode Fuzzy Hash: d4db38f97f5a06c7ea743d489175889f6287ab4700bc129c551de92c0bb21778
                                                                                            • Instruction Fuzzy Hash: C1C092B660DB84CBDF266B304C340413E316F67101BDE58FB80908E1E2933DA8A5E713

                                                                                            Non-executed Functions

                                                                                            Function 05BE7DB0 Relevance: 2.9, Strings: 2, Instructions: 366COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071657437.0000000005BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5be0000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Hnq$Hnq
                                                                                            • API String ID: 0-3075287205
                                                                                            • Opcode ID: aebd3d4380b63b50d21c2d3e92cdff9a65ba8f6b591874501a76f975bcfa8dce
                                                                                            • Instruction ID: eba019b6e7b85af40611d44bc73b071186062660059d1117195421b6378bab35
                                                                                            • Opcode Fuzzy Hash: aebd3d4380b63b50d21c2d3e92cdff9a65ba8f6b591874501a76f975bcfa8dce
                                                                                            • Instruction Fuzzy Hash: 2AE15331D1065A9FCF05DFA8C8405DEFBB2FF99310F25865AE415BB215EB30A986CB90
                                                                                            Function 05C01E9B Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2071746512.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_5c00000_XCnB8SL.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'jq
                                                                                            • API String ID: 0-3676250632
                                                                                            • Opcode ID: 2b750d95cdabff908626b4aaa09896709699998492c0e4bedcfc098cd9c4ccd5
                                                                                            • Instruction ID: cbbc3a24530f21d74ba983b2d6d00dc8c98e2b407aaba6b03e055b603c4398a8
                                                                                            • Opcode Fuzzy Hash: 2b750d95cdabff908626b4aaa09896709699998492c0e4bedcfc098cd9c4ccd5
                                                                                            • Instruction Fuzzy Hash: F22207347002148FDB19DB38C998A6DB7F2FF89214F5485A9E50A9B3A5DB35ED82CF40

                                                                                            Executed Functions

                                                                                            Function 06EF1630 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $jq$$jq
                                                                                            • API String ID: 0-3720491408
                                                                                            • Opcode ID: 525f9fbb4314a2885d9f575707c34c74b9f140db4953052c63a71020c1e616ab
                                                                                            • Instruction ID: 06e51c87554bb1e62815ee9059f4e6a3bd4c5912dfb19c8a9b4476a83f722384
                                                                                            • Opcode Fuzzy Hash: 525f9fbb4314a2885d9f575707c34c74b9f140db4953052c63a71020c1e616ab
                                                                                            • Instruction Fuzzy Hash: F751F331B143098FCB55DF78D8506EEBBB6EFC5250B24806AE609D73A5DA309D01CB90
                                                                                            Function 06EF28B4 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq$LRjq
                                                                                            • API String ID: 0-1648622204
                                                                                            • Opcode ID: 14ed208795c2c22b00f5a3beed432d795573770ac6b7296921ef05bd0888337d
                                                                                            • Instruction ID: b20546fe570c69936596b9aa782bdc86d431c3ccfdb5b67a6f50bb2a29421bd7
                                                                                            • Opcode Fuzzy Hash: 14ed208795c2c22b00f5a3beed432d795573770ac6b7296921ef05bd0888337d
                                                                                            • Instruction Fuzzy Hash: 11412230B243144FDB8A9FB998243BF3AABEFC5200F109469EA06D7395DF348E058790
                                                                                            Function 06EF50D0 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $jq$$jq
                                                                                            • API String ID: 0-3720491408
                                                                                            • Opcode ID: cb730205c45e3152a3f998af17d566d7c9ff5810f4cbfdabd6981448631a227d
                                                                                            • Instruction ID: 75d8d1f69bfc3e1218e4a1ad8b48f90d4462f5be49f102c923248522ebcb6ca7
                                                                                            • Opcode Fuzzy Hash: cb730205c45e3152a3f998af17d566d7c9ff5810f4cbfdabd6981448631a227d
                                                                                            • Instruction Fuzzy Hash: 4D319F30E20318DFEB149F69D8546AEBBB2EF98344F14C029D901AB395DF34A845CB90
                                                                                            Function 06EF6508 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRjq
                                                                                            • API String ID: 0-665714880
                                                                                            • Opcode ID: 9aaa6e5ce4fe0bbf9a93d3b45ce477c238b0926f3447cba1b64d58358cf9677d
                                                                                            • Instruction ID: 7a2a44a8fcadc67cb8b394e03fd8b9324d9e88dd35f9c4607ab9879f85514cc8
                                                                                            • Opcode Fuzzy Hash: 9aaa6e5ce4fe0bbf9a93d3b45ce477c238b0926f3447cba1b64d58358cf9677d
                                                                                            • Instruction Fuzzy Hash: 7781DF30F213149FDB649F74E858BAEBBB2BF84744F148469E606AB2D1DB709C44CB90
                                                                                            Function 06EF1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq
                                                                                            • API String ID: 0-2756854522
                                                                                            • Opcode ID: 26fce4d0022e93bff3774f27bf8d5ba1d9bbbf7f3b6cad46b61ca13d5714c8ba
                                                                                            • Instruction ID: 01ea6ddbbbb733337eeff0df84ff14a866f9a5eb145d118eea2c676b3a064dab
                                                                                            • Opcode Fuzzy Hash: 26fce4d0022e93bff3774f27bf8d5ba1d9bbbf7f3b6cad46b61ca13d5714c8ba
                                                                                            • Instruction Fuzzy Hash: 3A71A731F10318DFDB449BB5C854AAEB7ABAFC8350F159029D606EB3A4DE759C02CB91
                                                                                            Function 06EF29A3 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: W
                                                                                            • API String ID: 0-655174618
                                                                                            • Opcode ID: d3470e4544b06c400d79f10ec2fccb2eb33ebb1ee677bde61de98885f4e9cd46
                                                                                            • Instruction ID: ba6566038f240afd7717813d5be87e9d0399cd3f95c2b75605b7920f1cd2fc3a
                                                                                            • Opcode Fuzzy Hash: d3470e4544b06c400d79f10ec2fccb2eb33ebb1ee677bde61de98885f4e9cd46
                                                                                            • Instruction Fuzzy Hash: F6518D35B103108FCB45DF79D990A5EBBB6EF8821071485A9EA05EB399DF34ED06CB90
                                                                                            Function 06EF2878 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRjq
                                                                                            • API String ID: 0-665714880
                                                                                            • Opcode ID: fc121137651ec1d465eded074d79ee0c57b207fb1062d7405338563a391223be
                                                                                            • Instruction ID: 423b6dde13352b875ed598db3dd0b7782e7693551698ca11323d665890e23c61
                                                                                            • Opcode Fuzzy Hash: fc121137651ec1d465eded074d79ee0c57b207fb1062d7405338563a391223be
                                                                                            • Instruction Fuzzy Hash: 42312631B193955FDB459F789C607BF3BEAAF81204F14506EE646C72D6EB348904C790
                                                                                            Function 06EF0C1C Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq
                                                                                            • API String ID: 0-2756854522
                                                                                            • Opcode ID: 86bc7ae43cd56182c69da78574a969a0a1d3b06a6499996c5d9f24838d5dce59
                                                                                            • Instruction ID: 77b7d9db91dc050da619b54ff1efe0293fa71605d447c60a16e868d2adddf700
                                                                                            • Opcode Fuzzy Hash: 86bc7ae43cd56182c69da78574a969a0a1d3b06a6499996c5d9f24838d5dce59
                                                                                            • Instruction Fuzzy Hash: F7313730B693899FE78AA73948243FF3BA79FC6300F14945AD602E7286CD250D0583E2
                                                                                            Function 06EF50BF Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $jq
                                                                                            • API String ID: 0-2886413773
                                                                                            • Opcode ID: 6bc71920aecedfcbe8848a3ce29bc39384c7c43f6101911fc936530c32d55ac1
                                                                                            • Instruction ID: dbd65f67fe7de10c69245aa573ef2fa96e5ec54666df9aebadfb61a3419731ab
                                                                                            • Opcode Fuzzy Hash: 6bc71920aecedfcbe8848a3ce29bc39384c7c43f6101911fc936530c32d55ac1
                                                                                            • Instruction Fuzzy Hash: 3631B230E20314DFEB558F74D8547AEBBB2BF98304F14C069D902AB395DB70A845CB90
                                                                                            Function 06EF28C4 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (nq
                                                                                            • API String ID: 0-2756854522
                                                                                            • Opcode ID: b83c1f7af95a77e56c6ff5e40c6f29c3a2af5252038ece5abc23d780d7808f7d
                                                                                            • Instruction ID: df32da09f91bc706f3d11177db0ed60472a82e5d7164658de659620fddbf4395
                                                                                            • Opcode Fuzzy Hash: b83c1f7af95a77e56c6ff5e40c6f29c3a2af5252038ece5abc23d780d7808f7d
                                                                                            • Instruction Fuzzy Hash: 4C214931B1A3544FD7865B6658987BF7F9BAFC1210F04A06AEB4AC73D2CE348805C7A5
                                                                                            Function 06EF2D60 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRjq
                                                                                            • API String ID: 0-665714880
                                                                                            • Opcode ID: bd67bf2aaca85e9cd9a2941b703d1110ddb1a2011e03374abf6eed91b1b82934
                                                                                            • Instruction ID: 60db409852801abfd55f81238504dcb4ceb204a74e29d5d90edced68f99f7fef
                                                                                            • Opcode Fuzzy Hash: bd67bf2aaca85e9cd9a2941b703d1110ddb1a2011e03374abf6eed91b1b82934
                                                                                            • Instruction Fuzzy Hash: F621FF31B213154FDB899FB89C507BF37A7AF84204F20A429E706C7298EB358A058B90
                                                                                            Function 06EF8A31 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRjq
                                                                                            • API String ID: 0-665714880
                                                                                            • Opcode ID: 11b62a763027d02e4b15a6df38240962b4061aac227956ebe5a24ed3a7401291
                                                                                            • Instruction ID: 704a6f6f897b939f49aeb4c9117c826d50c001bcd609b91bc7044a93803797a0
                                                                                            • Opcode Fuzzy Hash: 11b62a763027d02e4b15a6df38240962b4061aac227956ebe5a24ed3a7401291
                                                                                            • Instruction Fuzzy Hash: 9121BD34F12308ABDB549F61E859BAF7BB7EB88644F108428E602A3284DF705D01CB90
                                                                                            Function 06EF8A40 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRjq
                                                                                            • API String ID: 0-665714880
                                                                                            • Opcode ID: a69595f8f696a65380dbd33f33bb283889db3e6e0e9614bb65af89f67c75ac0f
                                                                                            • Instruction ID: f077b8f5d6459c3ec9e0d65a437266cd97225199b248cdd8494a581f812258bf
                                                                                            • Opcode Fuzzy Hash: a69595f8f696a65380dbd33f33bb283889db3e6e0e9614bb65af89f67c75ac0f
                                                                                            • Instruction Fuzzy Hash: 92219E34F113089BDB88CF61E5597AEBBB3EB88744F148428E602A7394DF706D01CB80
                                                                                            Function 06EF29C8 Relevance: .2, Instructions: 228COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e40eed077ad37cf6029bd408a754b421e0dcc89aeb3aaef30cf269a6f16b355a
                                                                                            • Instruction ID: 9ddad51e1ccc460db94ef97e658ea4c91c9843360c97deb0282442e06c777b63
                                                                                            • Opcode Fuzzy Hash: e40eed077ad37cf6029bd408a754b421e0dcc89aeb3aaef30cf269a6f16b355a
                                                                                            • Instruction Fuzzy Hash: 8A916B35A10715CFCB44DFA9D89059EB7B6FF88310B148669EA09AB354EF30ED85CB90
                                                                                            Function 06EF6F18 Relevance: .2, Instructions: 166COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a3db4a586c353ef8d0e7b5f4776cac82de938f873f367e31b4133e0bca96a42c
                                                                                            • Instruction ID: 0ac14e0064f07723cf3aabf324612507a80f087653ea74cfbc7ec1895724c1a4
                                                                                            • Opcode Fuzzy Hash: a3db4a586c353ef8d0e7b5f4776cac82de938f873f367e31b4133e0bca96a42c
                                                                                            • Instruction Fuzzy Hash: 6951B330D153599FD701DFB8D860BDDBFB6EF85300F148196E104AB2A2EB34A948CBA1
                                                                                            Function 06EF6F78 Relevance: .1, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5a8815d799686db2d5fa052113e27a107688ca096be8b611eef7912029f8ab5
                                                                                            • Instruction ID: 5f469606d509400f50abbd242267e5fbc7ce7af60235d2ee1323a020c1a8e871
                                                                                            • Opcode Fuzzy Hash: c5a8815d799686db2d5fa052113e27a107688ca096be8b611eef7912029f8ab5
                                                                                            • Instruction Fuzzy Hash: A451B170E103099FDB00DFB8D854B9DBBB6FF88300F208559E104BB291EB74A945CB90
                                                                                            Function 06EF2268 Relevance: .1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 007aae8cb99825e93a8bbfc4250cce9c5042afdaf1c1f154780119d3fa61ed81
                                                                                            • Instruction ID: a78709ae92fcbe51746abdcf32988f8453ca3ee192f951e86e063c7a6d7c1ae5
                                                                                            • Opcode Fuzzy Hash: 007aae8cb99825e93a8bbfc4250cce9c5042afdaf1c1f154780119d3fa61ed81
                                                                                            • Instruction Fuzzy Hash: 68413C75B102149FCB84DFA8D98499EBBB6FF8C310B108169EA05EB361DB31ED41CB90
                                                                                            Function 06EF6390 Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 888a7fef7d61bd5d898989fedb1e19d412f5935535f6bc067fd96d2e3163f084
                                                                                            • Instruction ID: cb7a286deeccb81ee2415bd80cdf17e2fde10370c80e4dd2c63af0c9b78dc701
                                                                                            • Opcode Fuzzy Hash: 888a7fef7d61bd5d898989fedb1e19d412f5935535f6bc067fd96d2e3163f084
                                                                                            • Instruction Fuzzy Hash: E931D378E11218DFCB44DFA9D59499EBBF6FF88310B25806AE905E7365DB30AC41CB90
                                                                                            Function 06EF63A0 Relevance: .1, Instructions: 91COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 491cc85dc64a81c7660fcf49226b716b55d482db678bb5ae031e1e7f333e86d8
                                                                                            • Instruction ID: 62c4e2912bedc70c73094722a395f8cd555f8e434e829403fb4369725805d766
                                                                                            • Opcode Fuzzy Hash: 491cc85dc64a81c7660fcf49226b716b55d482db678bb5ae031e1e7f333e86d8
                                                                                            • Instruction Fuzzy Hash: 8C31C574A112189FCB44DFA9D59499EBBFAFF88310B25806AE905E7365DB30EC41CF90
                                                                                            Function 06EF9360 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 946d226b35f505960c953df23651b5b907da85e001527b684079b235e57cc07d
                                                                                            • Instruction ID: 08bb5c0e81d5f23c3528b8453b059f73d40c886129ed5b422723a5eff2a5c505
                                                                                            • Opcode Fuzzy Hash: 946d226b35f505960c953df23651b5b907da85e001527b684079b235e57cc07d
                                                                                            • Instruction Fuzzy Hash: 8C21292172F3944FC7975B3148A83BF2F665B92110B05A097DB89C76D3DE244905C3A2
                                                                                            Function 06EF1062 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 67e625391a874e0d75a9db0583afb2d62e302373821c27fa7a842d63d3ad0693
                                                                                            • Instruction ID: dd621c17c901b4bb81607ad19192925720f6a0e13316bb25eb42d497fd0a6fc0
                                                                                            • Opcode Fuzzy Hash: 67e625391a874e0d75a9db0583afb2d62e302373821c27fa7a842d63d3ad0693
                                                                                            • Instruction Fuzzy Hash: BD213732B11388DBDB549B769C54AFB7BAE9BC8280F046036DA06D7345E9748E1687A0
                                                                                            Function 06EF28E4 Relevance: .1, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 09e7949b55c66f0d7c24b0567262a28f1926d70ca9e629e51c95ecb6add8dbfa
                                                                                            • Instruction ID: daffa549502b08da50e31f21923b0b93507a5226209deb95fae3a7cff8d6add2
                                                                                            • Opcode Fuzzy Hash: 09e7949b55c66f0d7c24b0567262a28f1926d70ca9e629e51c95ecb6add8dbfa
                                                                                            • Instruction Fuzzy Hash: 62216032A3A3586FDBC237A128107FB7F59CF41261F10E46BFB4996152DA25C544C3E1
                                                                                            Function 06EF28D4 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9ec69492fe24a61d71a0147c6b5505a67822f7ee7bcfda81731ff288e05e3060
                                                                                            • Instruction ID: 6cd739c35b072bb927e1122fee560732fdbeff45537b56b58b23dcdf75e0cdde
                                                                                            • Opcode Fuzzy Hash: 9ec69492fe24a61d71a0147c6b5505a67822f7ee7bcfda81731ff288e05e3060
                                                                                            • Instruction Fuzzy Hash: C4110A11B393954FDBEA23F45C203BB6E5A4B42614F1464E7DB46DB283CA548D0503A6
                                                                                            Function 06EF2258 Relevance: .1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5df599baee70eb9a2e10c56c1ca21b6a5d4ceda2a0d18058c8b1cd0e4dfe81e
                                                                                            • Instruction ID: aedbac6a73cb4f252fa03ae3edc3a6f72b1d4202d0e02ae72318bd6d2af1ce1c
                                                                                            • Opcode Fuzzy Hash: c5df599baee70eb9a2e10c56c1ca21b6a5d4ceda2a0d18058c8b1cd0e4dfe81e
                                                                                            • Instruction Fuzzy Hash: 3E110D75E102149FCB84DF69D9809DEBBF2FF4C710B148129E915EB324DB319941CB90
                                                                                            Function 06EF9460 Relevance: .1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 531411e28abbc78ba8b105fc0e30a3906e587be40b80f0406b1a121730a44e72
                                                                                            • Instruction ID: c79c5ab38686ed4baa87ed3495c4dd438eb96feeffc0c85ff90244c75c27374a
                                                                                            • Opcode Fuzzy Hash: 531411e28abbc78ba8b105fc0e30a3906e587be40b80f0406b1a121730a44e72
                                                                                            • Instruction Fuzzy Hash: 8E119031A19204EFCBC4DF65D860AEA7BB7AF88315F10901AD609A33C0DF356845CB90
                                                                                            Function 06EF0F20 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e42d4a55da6d621f7a0b56c5612385e768e2b82b42c5127aba5e1444c97df37f
                                                                                            • Instruction ID: ded3e75beb396feb9e4cecc28798ba6a1663f797577e2758fe7f8b128b790702
                                                                                            • Opcode Fuzzy Hash: e42d4a55da6d621f7a0b56c5612385e768e2b82b42c5127aba5e1444c97df37f
                                                                                            • Instruction Fuzzy Hash: 1B01B136B2A3589BCBD957791C646AF6F4E5FC2210F15647ADB08CF302DD248C00C2E1
                                                                                            Function 06EF3080 Relevance: .1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4c5ee873f9b03d9993c1f3f5c38f4e17328d9df6351b053c96de96c575081c31
                                                                                            • Instruction ID: 2701f6fea56f8905c52103d741bec4ab5bab125e81ec15d6101f1bc00855239d
                                                                                            • Opcode Fuzzy Hash: 4c5ee873f9b03d9993c1f3f5c38f4e17328d9df6351b053c96de96c575081c31
                                                                                            • Instruction Fuzzy Hash: C4116D30A14309AFDB88DF66CC50AAEBBB7AF8C314F149029D509A7394DE759849CBD0
                                                                                            Function 06EF9470 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3c9bc7611d6e90e17494f67eeaf149cc65e10d78c497d8851310fbbb954baad4
                                                                                            • Instruction ID: 59115453e21e5d4e5c4e102507d603f4efaa6aa43ac41a63e10041bf818c9051
                                                                                            • Opcode Fuzzy Hash: 3c9bc7611d6e90e17494f67eeaf149cc65e10d78c497d8851310fbbb954baad4
                                                                                            • Instruction Fuzzy Hash: A0119D30A14308EFCBC4EF66C850AAEBBB7AF8C310F105019D609A73C0DF35A8458B90
                                                                                            Function 06EF1378 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2a2e37a7a825c9187f35cdee2726ec158b8c73e2c916197982383f23a689ba5f
                                                                                            • Instruction ID: b5c88d44e3dd49bfa7bd637e027e2958e751ce4a97e9eda7e7e18a4ca623fe4d
                                                                                            • Opcode Fuzzy Hash: 2a2e37a7a825c9187f35cdee2726ec158b8c73e2c916197982383f23a689ba5f
                                                                                            • Instruction Fuzzy Hash: D92104B1D002498EDB20DFAAC844AEEFFF0FF88324F10852AD51967240CB355945CFA1
                                                                                            Function 06EF307D Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b7f2490ab3c2b5b3d953b7c045cba04fb7b1f714a0ce60c0719a46c8b2ba2abf
                                                                                            • Instruction ID: 0ba8b0c6aee4bd5352762e1ac69a547695772ee21459f28e4953ea177f9a74e3
                                                                                            • Opcode Fuzzy Hash: b7f2490ab3c2b5b3d953b7c045cba04fb7b1f714a0ce60c0719a46c8b2ba2abf
                                                                                            • Instruction Fuzzy Hash: F7117C30A14309DFDB84DF65C860AAEBBB7AF8C305F109029D609A7394DF759846CB90
                                                                                            Function 06EF2CD0 Relevance: .1, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 655307be194b9f366b7cc933574558dca5130fb21639cf7e6310872c4549835c
                                                                                            • Instruction ID: ec815b95bcf32f03e31da36e80e37e8d0e6e1ad1eff6361863166610f57bf7b1
                                                                                            • Opcode Fuzzy Hash: 655307be194b9f366b7cc933574558dca5130fb21639cf7e6310872c4549835c
                                                                                            • Instruction Fuzzy Hash: E801A532F102188FDF548BE8D8102EEB7F6EF88315F049039D605B7254DB369A45CBA5
                                                                                            Function 06EF2CC3 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3d72c2df44c972c56fb7583ae8659d1b1b8dead1b3b79e3305d60e67a294f056
                                                                                            • Instruction ID: 7e98b7799c09cb7bfaa4e9ff144bae182e48f6acc7be6527389544f3651986c5
                                                                                            • Opcode Fuzzy Hash: 3d72c2df44c972c56fb7583ae8659d1b1b8dead1b3b79e3305d60e67a294f056
                                                                                            • Instruction Fuzzy Hash: A101DB35F253548FDF9587E49C206EE7BF6AF88204F149069D305E7259CB368E40CBA5
                                                                                            Function 06EF8058 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 23d25b2b272b13c0747c6f0ffd4e1d8a9aaed08825bcd7be4142f6e0ad15f0bd
                                                                                            • Instruction ID: 14c8330944b9c8fbde89e4009e6521aca2168891f4fbe0c4e0f79a5b7a9e5c37
                                                                                            • Opcode Fuzzy Hash: 23d25b2b272b13c0747c6f0ffd4e1d8a9aaed08825bcd7be4142f6e0ad15f0bd
                                                                                            • Instruction Fuzzy Hash: 36017C3B7151109F8B44DA6DF89486EB7ABEBC8265354803AF605C7310DE72EC028795
                                                                                            Function 06EF1380 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bd3aaf21f7e9c4637f449a63cf0e05fae2f0f1580f13ea5e7e70f09eeba2cdc5
                                                                                            • Instruction ID: 18ece331b59673dcdcb48d21be2f43eabb7652a31fd69d738ca0afe8d6ae3866
                                                                                            • Opcode Fuzzy Hash: bd3aaf21f7e9c4637f449a63cf0e05fae2f0f1580f13ea5e7e70f09eeba2cdc5
                                                                                            • Instruction Fuzzy Hash: CC11E3B5D042498BDB20DFAAC885AEEFBF4FF88324F10841AD51967240CB786945CFA1
                                                                                            Function 06EF1968 Relevance: .1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 06ceec3b8c99c4385d3fd17690e03ae9ff16dce16e520882829b610a3e823914
                                                                                            • Instruction ID: 9352cc1b99d20eddaba69adf01a80de7a72809313a6970eb381cef64ef1e227c
                                                                                            • Opcode Fuzzy Hash: 06ceec3b8c99c4385d3fd17690e03ae9ff16dce16e520882829b610a3e823914
                                                                                            • Instruction Fuzzy Hash: 4D116D31605304AFCB44DF69D854AAEBBB7EF8C314F105019E60AA7390DF719846CB90
                                                                                            Function 06EF1440 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0b4faba1f23f6e30572bd7be206938688d349238c97d1cd1035a9acae7e6149
                                                                                            • Instruction ID: 8108c438c651a9da792999c5806a354bf3f594cf1c6557ba43d377e086eee611
                                                                                            • Opcode Fuzzy Hash: a0b4faba1f23f6e30572bd7be206938688d349238c97d1cd1035a9acae7e6149
                                                                                            • Instruction Fuzzy Hash: E901A230A2A3499FC74A9FB56D2556B3FAEDFC621830518AAD709CF1E2F9148805C7E1
                                                                                            Function 06EF6A1F Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d13d8469778ab17776bad81a4b37f36feaf3c9e28df5b81fcd64ebfb8b418d2d
                                                                                            • Instruction ID: 509f3725daf9f1448f7c763cc85426b4ebd7836b960ec917e47cce55446ee723
                                                                                            • Opcode Fuzzy Hash: d13d8469778ab17776bad81a4b37f36feaf3c9e28df5b81fcd64ebfb8b418d2d
                                                                                            • Instruction Fuzzy Hash: 4C01B131B103148BDB98AB79C9283EE77E7AFC8240F24946ED606A7390CF754D068BC0
                                                                                            Function 06EF6B0C Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca182a92f7eaa716dd9231887fb7dc7dbcd4d3e8353a3d4ceb0419f3cb2ff550
                                                                                            • Instruction ID: 60c1307d7aeed5267db2702b28dfcb653f99681e5014bf387a4b9dd5b77e0905
                                                                                            • Opcode Fuzzy Hash: ca182a92f7eaa716dd9231887fb7dc7dbcd4d3e8353a3d4ceb0419f3cb2ff550
                                                                                            • Instruction Fuzzy Hash: B0F07832F143244BEBD517A45C217BD6752DBC1318F44996AE3099F2E9DA279803C380
                                                                                            Function 06EF1829 Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 657d6f7620be7370532f90cc850c0c8ba491bfac470c8aeeb06ab98414e1b591
                                                                                            • Instruction ID: dbf945ad758bd8279e9d79a09482415dd8f487e65452a5d69d7eee4c92cbaf55
                                                                                            • Opcode Fuzzy Hash: 657d6f7620be7370532f90cc850c0c8ba491bfac470c8aeeb06ab98414e1b591
                                                                                            • Instruction Fuzzy Hash: 9301F932F20319D7EB98DB68C5213EF7AE75B88204F15501DD612B3380CE720D0087E1
                                                                                            Function 06EF6A30 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ad3a5dacd838680681096d7ff7e007f0cf42b96e4b9125e35d7c981e73490140
                                                                                            • Instruction ID: 6c30dd6f7afab077c468f9df5ecf7321082d709ae88bde4dadfd676f711b8369
                                                                                            • Opcode Fuzzy Hash: ad3a5dacd838680681096d7ff7e007f0cf42b96e4b9125e35d7c981e73490140
                                                                                            • Instruction Fuzzy Hash: AA01DF31B103148BDB98AB6AC8287AF7AEB9FC8340F20806DD206A7380CE714D058BD1
                                                                                            Function 02F5D005 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2065234645.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2f5d000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9fcef9e9b4fcead9ce474d0274cf0d62eddef763d265bd91e1236982d8654d06
                                                                                            • Instruction ID: 109853ebd67b6c2ecd55d4ff78df248b600224fc6a4ed1dade55aa3db5f1bb96
                                                                                            • Opcode Fuzzy Hash: 9fcef9e9b4fcead9ce474d0274cf0d62eddef763d265bd91e1236982d8654d06
                                                                                            • Instruction Fuzzy Hash: 4D01407140E3D09ED7128B258894762BFB8DF53624F1D81DBDD888F2A7C2695849C772
                                                                                            Function 02F5D01D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2065234645.0000000002F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F5D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2f5d000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 396f265272386575a352c3fd1ec1bffce7d22eb54ef993ea37b35847b483755e
                                                                                            • Instruction ID: c2ed0321d67d4d20302797a58df8498e3a6b472c74283d2b8d08f9456489a69b
                                                                                            • Opcode Fuzzy Hash: 396f265272386575a352c3fd1ec1bffce7d22eb54ef993ea37b35847b483755e
                                                                                            • Instruction Fuzzy Hash: D8012B715063509AE7208A25CD84B67BF98EF417A4F18C42AEF480B24AC3799842C6B1
                                                                                            Function 06EF0F30 Relevance: .0, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cc63263dcf658040c3df01f239d08e61a6207385c0149525ed4fec366c39edbc
                                                                                            • Instruction ID: aaac44d8b8e49dcc6ddcaa134a850d1b0bc9733592df81b4ae5ab475beb95954
                                                                                            • Opcode Fuzzy Hash: cc63263dcf658040c3df01f239d08e61a6207385c0149525ed4fec366c39edbc
                                                                                            • Instruction Fuzzy Hash: 65F0902076E3A95FC68B23381C200EA2F698A9358074A58A69615CB287C8094D0A83E2
                                                                                            Function 06EF7FDA Relevance: .0, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e1b100b588321fd9b38f5dadab0469690fb7f6d69bed2704c0d21c70b16467db
                                                                                            • Instruction ID: a5fce41d591b948336a79c79ac8289079fb6b7f068c070f476e3ff2f2c530943
                                                                                            • Opcode Fuzzy Hash: e1b100b588321fd9b38f5dadab0469690fb7f6d69bed2704c0d21c70b16467db
                                                                                            • Instruction Fuzzy Hash: 65F0BE31310310578321A76EEC81D9BBBDFDEC4A60384812AF60A8B364EFB1EC0487E0
                                                                                            Function 06EF1431 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 164dde8f3967ffa0a9e345311986a5e4f8ea00b088a40f0aadfa1039764c2231
                                                                                            • Instruction ID: c796960d3421aeecf777851f00f95735039b334c408720c766a8f50565fedd16
                                                                                            • Opcode Fuzzy Hash: 164dde8f3967ffa0a9e345311986a5e4f8ea00b088a40f0aadfa1039764c2231
                                                                                            • Instruction Fuzzy Hash: A0F02470B1A3068FD74A9F765E655673B9BEFC1218300186A8205CF1E1F6248800C3E2
                                                                                            Function 06EF7FE0 Relevance: .0, Instructions: 34COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c37eb4c44b63259804859054c5507991e421894a1db84102f5ecdc506409396b
                                                                                            • Instruction ID: 95874ce5125a6644e7c85c457a5230e5befd641fd652c2d8e5b048c4d46d291a
                                                                                            • Opcode Fuzzy Hash: c37eb4c44b63259804859054c5507991e421894a1db84102f5ecdc506409396b
                                                                                            • Instruction Fuzzy Hash: CBF08271710310478765A75EE88199FBBDFDFC4664384812AE60ACB314EEB5ED0587D0
                                                                                            Function 06EF0F50 Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 732262c7ff66086d02e7a4067227ae9a41f508a0b29968bbcb41f6598642c69f
                                                                                            • Instruction ID: 4af0d35af8722d59ca85dbfdfc487679d94edc6309bb5f52c6a7b8f8d92b95f7
                                                                                            • Opcode Fuzzy Hash: 732262c7ff66086d02e7a4067227ae9a41f508a0b29968bbcb41f6598642c69f
                                                                                            • Instruction Fuzzy Hash: 97F05C3019B3889FC7459734A835BE77F6C5F42100B54AC91F609CF103C419C594C391
                                                                                            Function 06EF5278 Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3ca1954755f60ebfe47be7cb3a0bd0cfe8ca8bb95e575f18c0b5e20a05682f42
                                                                                            • Instruction ID: d4bd351f9b082367192f23e228df4bdf3fac428db26c4522e596b05a51d854b4
                                                                                            • Opcode Fuzzy Hash: 3ca1954755f60ebfe47be7cb3a0bd0cfe8ca8bb95e575f18c0b5e20a05682f42
                                                                                            • Instruction Fuzzy Hash: 52F0273670D3401BC3014A25DC10787BBA68FC6325F1500BEE54897292DD766801C790
                                                                                            Function 06EF7F4A Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dd845034006d81cc557983c311e642c4e0ceba0665112b9643e617a85e128a0b
                                                                                            • Instruction ID: 30d72c6faacc32be8c54375072d4379f031bc43e64df8365c432be00b0ffa105
                                                                                            • Opcode Fuzzy Hash: dd845034006d81cc557983c311e642c4e0ceba0665112b9643e617a85e128a0b
                                                                                            • Instruction Fuzzy Hash: 53F0B470909349AF8701DEB4DC018897FBADA0125570042DAE409D7212EB30AE449BD1
                                                                                            Function 06EF2EFB Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5647aa424e4fca5b69eaa2dafb211b85387fec22662229b27ea6e08342220452
                                                                                            • Instruction ID: bb80f875fcb06d5a41263d6a8469a9c93178a0fe5b0471d013bf26b40ad543f0
                                                                                            • Opcode Fuzzy Hash: 5647aa424e4fca5b69eaa2dafb211b85387fec22662229b27ea6e08342220452
                                                                                            • Instruction Fuzzy Hash: 0FE0ED21F34B940FEBFA13E48C203AA6D8C0B42608F5050EBE782D7B93D7C4CA0113A2
                                                                                            Function 06EF1BBD Relevance: .0, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c7c032e8ff0e4599a37ecc1bc1569477e7312c62814f3e48b1a8c55c3733e737
                                                                                            • Instruction ID: b85504034875a5576b3753fdbe3fac55081a8f08d381ca76015d6a8bdb6f9db8
                                                                                            • Opcode Fuzzy Hash: c7c032e8ff0e4599a37ecc1bc1569477e7312c62814f3e48b1a8c55c3733e737
                                                                                            • Instruction Fuzzy Hash: CCE02236F34314CBCBA85B1694903AA964A6BC4274F206039DF088F304EB608C004290
                                                                                            Function 06EF5288 Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 213e6dd20c0c3b8277390c27a2a32d6c3b517b501f90269c2066091766e44c5d
                                                                                            • Instruction ID: ec576d17af13ae0c348ac6832205335eeca5409b3f4b767f3f66e0722d3c159e
                                                                                            • Opcode Fuzzy Hash: 213e6dd20c0c3b8277390c27a2a32d6c3b517b501f90269c2066091766e44c5d
                                                                                            • Instruction Fuzzy Hash: 7AE026367082104BC314996AE84095BF79EDBC8664F10407DE50CD3355CD32BC028690
                                                                                            Function 06EF2958 Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 237d10c5537e98cf750c669d7704cf42bc06e949607d46fb4a184dcce35a34e4
                                                                                            • Instruction ID: fcfc802a0100b7674e25469f4c37badf4007d359e1e033692d024d55890c0b4a
                                                                                            • Opcode Fuzzy Hash: 237d10c5537e98cf750c669d7704cf42bc06e949607d46fb4a184dcce35a34e4
                                                                                            • Instruction Fuzzy Hash: 71E04F71D09249AFCB11DFA4EE5196EBFBAEF02200B1045EAE909DB251EE705F04C792
                                                                                            Function 06EF17F0 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e358faa4b65e44d667c0cb6db0acdeb7d709a14cdae3c239e1c19de4bd0490f6
                                                                                            • Instruction ID: a4ad4642ceb2dc15a8fc2a1770029933ee6cccaa86d443ed1d04683513610b96
                                                                                            • Opcode Fuzzy Hash: e358faa4b65e44d667c0cb6db0acdeb7d709a14cdae3c239e1c19de4bd0490f6
                                                                                            • Instruction Fuzzy Hash: 4ED0A73322D3888FC3467F20AC204E97F79979A5513784067F642DB2A7C9260A25E7A0
                                                                                            Function 06EF0C0C Relevance: .0, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0c9e1d78eb1b16c3791bddbad9030ba21cc03ba3d1e6dfd406b08a65ebdf1c6c
                                                                                            • Instruction ID: 132e82b63dc3f903fc1133aa498f27c1474567b016a2d34a9cc4e44b5e2c02b9
                                                                                            • Opcode Fuzzy Hash: 0c9e1d78eb1b16c3791bddbad9030ba21cc03ba3d1e6dfd406b08a65ebdf1c6c
                                                                                            • Instruction Fuzzy Hash: 21D0A73322421C5B83846B18DC568AA7B9DEB842603505437FB02D3224CD616C1493D5
                                                                                            Function 06EF1C29 Relevance: .0, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2cd8dc5a05d59ffbf2ca261a8551aa1640dae24fd6094d3cb34e19daa9b229a9
                                                                                            • Instruction ID: 3153be146b8e8f6fbd18c008707c2ef7b58b7dca509c9ff2f0c771fd15d7eeea
                                                                                            • Opcode Fuzzy Hash: 2cd8dc5a05d59ffbf2ca261a8551aa1640dae24fd6094d3cb34e19daa9b229a9
                                                                                            • Instruction Fuzzy Hash: 00D0222B62B7AA378BCA03782D104DA4B0C0F43A10B1219F7D12CCF10280074C04C2E2
                                                                                            Function 06EF1D10 Relevance: .0, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 808e28dec457bb0b96dc78e1544325b8882c2856b99e7c45578a0791c9d5c121
                                                                                            • Instruction ID: 3c9e849e84831483f7f42113e94b4fdc32c8979ee04b3a65b9bda0896f41c0d4
                                                                                            • Opcode Fuzzy Hash: 808e28dec457bb0b96dc78e1544325b8882c2856b99e7c45578a0791c9d5c121
                                                                                            • Instruction Fuzzy Hash: 72D02230AE130C9BF7C037A1AC253BB33EC9780B0EF602024EF1D1A1C0DEA65490CA96
                                                                                            Function 06EF2968 Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3d21df72cc68017a1f6d4049e302c82643b839328d4f82dcf1cc3f5ee936f12a
                                                                                            • Instruction ID: af16db42e742d55e881a621e51e26c55f5040e4054bb9fea6f8461b60b3067d0
                                                                                            • Opcode Fuzzy Hash: 3d21df72cc68017a1f6d4049e302c82643b839328d4f82dcf1cc3f5ee936f12a
                                                                                            • Instruction Fuzzy Hash: 29D05B7090110CEFCB40DFA8EA4195DBBB9EF44204B1045E9E909D3200EE71AF04DB81
                                                                                            Function 06EF7F70 Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5ab943ef55350df3402e40c6dd20ee0c3f47110ee574e27d29dad95bb2da21f9
                                                                                            • Instruction ID: 27219f26147cb57fa16fbc7bd80a92ecf8469fe53874b0dc52e51a6c761214ba
                                                                                            • Opcode Fuzzy Hash: 5ab943ef55350df3402e40c6dd20ee0c3f47110ee574e27d29dad95bb2da21f9
                                                                                            • Instruction Fuzzy Hash: 35D05E70A0120CEFCB41EFB8EA0195DBBFAEF44244B5041A8D909E7210EF317F00AB81
                                                                                            Function 06EF0440 Relevance: .0, Instructions: 13COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 87b729cdeb49a9bd6664d7188d9c32eea442f524c4a7a6d3636c74ddcc27e972
                                                                                            • Instruction ID: 51425ab102099f2d3c283483a0f4d2da77cc5137845415ad672398ee09c0c508
                                                                                            • Opcode Fuzzy Hash: 87b729cdeb49a9bd6664d7188d9c32eea442f524c4a7a6d3636c74ddcc27e972
                                                                                            • Instruction Fuzzy Hash: 4DC0123545F3D02FC70346619D05C977F765AA324434A0396F44186012811E0A64D3F1
                                                                                            Function 06EF0E7C Relevance: .0, Instructions: 8COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000003.2064421034.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_3_6ef0000_rundll32.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 89d2c41ecac36e97d41d0efc35dafeb4e82cd15bf5f4e595aed5580ddf1f05a1
                                                                                            • Instruction ID: 35ee6459d8160f82d989eedd581af0c92f6e50c8d6b3de5e4e77719854ff393f
                                                                                            • Opcode Fuzzy Hash: 89d2c41ecac36e97d41d0efc35dafeb4e82cd15bf5f4e595aed5580ddf1f05a1
                                                                                            • Instruction Fuzzy Hash: 53B01226964305D752C4A7354CE48F740CA9AC1300BC0FC5017129001E4C1CC0040008

                                                                                            Execution Graph

                                                                                            Execution Coverage:11.4%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:3%
                                                                                            Total number of Nodes:198
                                                                                            Total number of Limit Nodes:7
                                                                                            execution_graph 36727 4100bf0 36730 4100c2c 36727->36730 36728 4100c15 36731 4100c59 36730->36731 36732 4100c4d 36730->36732 36735 4101238 36731->36735 36732->36728 36736 410125d 36735->36736 36737 4101324 36735->36737 36736->36737 36741 4101238 CryptProtectData 36736->36741 36744 41014f3 36736->36744 36748 410148e 36736->36748 36752 41014eb 36736->36752 36756 4100f48 36737->36756 36741->36737 36745 4101515 36744->36745 36746 4100f48 CryptProtectData 36745->36746 36747 410154d 36746->36747 36747->36737 36749 41014a3 36748->36749 36750 4100f48 CryptProtectData 36749->36750 36751 410154d 36750->36751 36751->36737 36753 4101502 36752->36753 36754 4100f48 CryptProtectData 36753->36754 36755 410154d 36754->36755 36755->36737 36757 4101738 CryptProtectData 36756->36757 36759 4100cd5 36757->36759 36759->36728 36580 1a336b0 36581 1a336c6 36580->36581 36584 1a34c6e 36581->36584 36582 1a336cc 36586 1a34c90 36584->36586 36585 1a34cc6 36585->36582 36586->36585 36587 1a34d1d RtlGetVersion 36586->36587 36588 1a34dda 36587->36588 36588->36582 36760 54f132c 36761 54f0ec0 36760->36761 36762 54f0f4d 36761->36762 36763 4106730 3 API calls 36761->36763 36763->36762 36576 5c72b40 36577 5c72b9a 36576->36577 36578 5c72bf9 RegDisablePredefinedCache 36577->36578 36579 5c72bdc 36577->36579 36578->36579 36598 54f5be8 36599 54f5c2a 36598->36599 36600 54f5c30 WaitNamedPipeW 36598->36600 36599->36600 36601 54f5c64 36600->36601 36798 4105f68 36799 4105f8c 36798->36799 36800 4105f9c 36798->36800 36801 4105f95 36799->36801 36804 4106572 3 API calls 36799->36804 36805 4106598 3 API calls 36799->36805 36806 4106572 36800->36806 36812 4106598 36800->36812 36804->36799 36805->36799 36807 4106582 36806->36807 36809 41065bb 36807->36809 36810 1a3f930 3 API calls 36807->36810 36808 41065c4 36808->36799 36809->36808 36811 1a3f930 3 API calls 36809->36811 36810->36809 36811->36809 36814 41065bb 36812->36814 36815 41065cb 36812->36815 36813 41065c4 36813->36799 36814->36813 36817 1a3f930 3 API calls 36814->36817 36816 1a3f930 3 API calls 36815->36816 36816->36814 36817->36814 36602 1a3f788 36603 1a3f7ac 36602->36603 36604 1a3f7b3 36602->36604 36603->36604 36606 1a3f930 36603->36606 36607 1a3f953 36606->36607 36609 1a3f963 36606->36609 36608 1a3f95c 36607->36608 36610 41048f0 3 API calls 36607->36610 36611 41048e3 3 API calls 36607->36611 36608->36604 36609->36607 36613 1a3f930 3 API calls 36609->36613 36618 41048f0 36609->36618 36624 1a3a4c8 36609->36624 36629 1a3fab8 36609->36629 36637 41048e3 36609->36637 36643 1a3a4b8 36609->36643 36610->36607 36611->36607 36613->36607 36620 4104924 36618->36620 36621 4104914 36618->36621 36619 410491d 36619->36607 36623 1a3f930 3 API calls 36620->36623 36621->36619 36648 4106730 36621->36648 36623->36621 36625 1a3a4f9 36624->36625 36626 1a3a4ed 36624->36626 36625->36626 36627 41048f0 3 API calls 36625->36627 36628 41048e3 3 API calls 36625->36628 36626->36607 36627->36626 36628->36626 36630 1a3fadb 36629->36630 36632 1a3faeb 36629->36632 36631 1a3fae4 36630->36631 36703 4100040 36630->36703 36708 4100038 36630->36708 36631->36607 36633 1a3f930 3 API calls 36632->36633 36634 1a3fab8 3 API calls 36632->36634 36633->36630 36634->36630 36638 4104924 36637->36638 36639 4104914 36637->36639 36642 1a3f930 3 API calls 36638->36642 36640 410491d 36639->36640 36641 4106730 3 API calls 36639->36641 36640->36607 36641->36640 36642->36639 36644 1a3a4ed 36643->36644 36645 1a3a4f9 36643->36645 36644->36607 36645->36644 36646 41048f0 3 API calls 36645->36646 36647 41048e3 3 API calls 36645->36647 36646->36644 36647->36644 36649 4106770 36648->36649 36652 4100510 36649->36652 36651 410678b 36651->36619 36653 4100536 36652->36653 36656 54f16d0 36652->36656 36660 54f16e0 36652->36660 36653->36651 36657 54f16f2 36656->36657 36658 54f1715 36657->36658 36664 54f1721 36657->36664 36658->36653 36661 54f16f2 36660->36661 36662 54f1715 36661->36662 36663 54f1721 3 API calls 36661->36663 36662->36653 36663->36662 36665 54f1748 36664->36665 36669 54f1d58 36665->36669 36680 54f1d37 36665->36680 36666 54f1788 36666->36658 36670 54f1d7f 36669->36670 36671 54f1e00 36670->36671 36677 54f1e6a 36670->36677 36691 54f0784 36671->36691 36674 54f22f0 CreateNamedPipeW 36676 54f2549 36674->36676 36676->36666 36677->36674 36695 1a37490 36677->36695 36699 1a37481 36677->36699 36681 54f1d3f 36680->36681 36682 54f1e00 36681->36682 36688 54f1e6a 36681->36688 36683 54f0784 CreateNamedPipeW 36682->36683 36684 54f1e60 36683->36684 36684->36666 36685 54f22f0 CreateNamedPipeW 36687 54f2549 36685->36687 36687->36666 36688->36685 36689 1a37481 2 API calls 36688->36689 36690 1a37490 2 API calls 36688->36690 36689->36688 36690->36688 36692 54f2498 CreateNamedPipeW 36691->36692 36694 54f1e60 36692->36694 36694->36666 36696 1a374ba 36695->36696 36697 1a374d5 36696->36697 36698 1a3f930 3 API calls 36696->36698 36697->36677 36698->36697 36700 1a374ba 36699->36700 36701 1a374d5 36700->36701 36702 1a3f930 3 API calls 36700->36702 36701->36677 36702->36701 36704 410005f 36703->36704 36706 4100510 3 API calls 36704->36706 36713 4100503 36704->36713 36705 41000d1 36705->36631 36706->36705 36709 410005f 36708->36709 36711 4100510 3 API calls 36709->36711 36712 4100503 3 API calls 36709->36712 36710 41000d1 36710->36631 36711->36710 36712->36710 36714 4100507 36713->36714 36715 4100536 36714->36715 36716 54f16d0 3 API calls 36714->36716 36717 54f16e0 3 API calls 36714->36717 36715->36705 36716->36715 36717->36715 36723 4100adb 36724 4100a73 36723->36724 36725 4100510 3 API calls 36724->36725 36726 4100a85 36725->36726 36589 54f36d0 36590 54f36f3 36589->36590 36593 54f400f 36590->36593 36591 54f3752 36596 54f401a 36593->36596 36594 54f40ac ConnectNamedPipe 36597 54f40e8 36594->36597 36595 54f402e 36595->36591 36596->36591 36596->36594 36596->36595 36718 54f0de0 36719 54f0df2 36718->36719 36720 54f0e36 36719->36720 36721 54f1d58 3 API calls 36719->36721 36722 54f1d37 3 API calls 36719->36722 36721->36720 36722->36720 36764 54f5a20 36765 54f5a3e 36764->36765 36767 54f5a57 36765->36767 36770 54f5b71 36765->36770 36769 54f5b71 2 API calls 36769->36767 36771 54f5b8d 36770->36771 36776 5c703c7 36771->36776 36784 5c7036f 36771->36784 36789 5c70380 36771->36789 36772 54f5a80 36772->36769 36777 5c70380 36776->36777 36778 5c703cf CreateFileA 36776->36778 36782 5c703c7 CreateFileA 36777->36782 36794 5c703d0 36777->36794 36781 5c70505 36778->36781 36780 5c703b8 36780->36772 36782->36780 36785 5c70393 36784->36785 36787 5c703c7 2 API calls 36785->36787 36788 5c703d0 CreateFileA 36785->36788 36786 5c703b8 36786->36772 36787->36786 36788->36786 36790 5c70393 36789->36790 36792 5c703c7 2 API calls 36790->36792 36793 5c703d0 CreateFileA 36790->36793 36791 5c703b8 36791->36772 36792->36791 36793->36791 36795 5c7042e CreateFileA 36794->36795 36797 5c70505 36795->36797

                                                                                            Executed Functions

                                                                                            Function 054F0784 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72pipeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 637 54f0784-54f24da 639 54f24dc-54f24df 637->639 640 54f24e2-54f2547 CreateNamedPipeW 637->640 639->640 642 54f2549-54f254f 640->642 643 54f2550-54f2571 640->643 642->643
                                                                                            APIs
                                                                                            • CreateNamedPipeW.KERNEL32(00000000,00000001,00000008,?,?,?,00000001,00000004), ref: 054F2534
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateNamedPipe
                                                                                            • String ID: 4Ljq
                                                                                            • API String ID: 2489174969-2677868233
                                                                                            • Opcode ID: 4a8285dc673dc630f28cafe9cea96adadbbfbd7eba9bbec41349f5f68dff3dc8
                                                                                            • Instruction ID: d7b5d807d2a50a31595e459a175f6616e6d178f61ab70f2132388b81f38293aa
                                                                                            • Opcode Fuzzy Hash: 4a8285dc673dc630f28cafe9cea96adadbbfbd7eba9bbec41349f5f68dff3dc8
                                                                                            • Instruction Fuzzy Hash: E33126B58002489FCB10CF9AD984ACEBFF5BF48314F14C069E919A7221D375A855CF50
                                                                                            Function 04100F48 Relevance: 1.6, APIs: 1, Instructions: 64encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 041017AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3923188646.0000000004100000.00000040.00000800.00020000.00000000.sdmp, Offset: 04100000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_4100000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptDataProtect
                                                                                            • String ID:
                                                                                            • API String ID: 3091777813-0
                                                                                            • Opcode ID: 63c14d69a950b96bde8fe744a56d3ee3d8fd81cac28ab354b88716309543942f
                                                                                            • Instruction ID: e7bc179fde6f5c70fc6b2f28f6fae1b63976f52b8dd356ea0ac5baffb4a03fd7
                                                                                            • Opcode Fuzzy Hash: 63c14d69a950b96bde8fe744a56d3ee3d8fd81cac28ab354b88716309543942f
                                                                                            • Instruction Fuzzy Hash: 122125B68002499FDB10CF9AC884ADEBBF5FB48310F14C429E918A7250D779A555DFA1
                                                                                            Function 04101733 Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 041017AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3923188646.0000000004100000.00000040.00000800.00020000.00000000.sdmp, Offset: 04100000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_4100000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptDataProtect
                                                                                            • String ID:
                                                                                            • API String ID: 3091777813-0
                                                                                            • Opcode ID: 29da9a205ad0fa8ff7abf2457366ada6d1fc2b547dab5dc3c769595672a0e76c
                                                                                            • Instruction ID: 082683ecdfaf6a757f0ab57b3bece217c048f2df8924074dfaf3ab8c52cab0cf
                                                                                            • Opcode Fuzzy Hash: 29da9a205ad0fa8ff7abf2457366ada6d1fc2b547dab5dc3c769595672a0e76c
                                                                                            • Instruction Fuzzy Hash: 732137B68002499FDF10CF9AC884ADFBBF5FF48310F148429E919A7250D779A555CFA1
                                                                                            Function 054F1D58 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 604COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 54f1d58-54f1dde 9 54f1de9-54f1df5 0->9 10 54f1de0-54f1de2 0->10 12 54f1df7-54f1dfe 9->12 13 54f1e00-54f1e02 9->13 10->9 12->13 14 54f1e04-54f1e0b 12->14 15 54f1e10-54f1e38 13->15 16 54f1e0d 14->16 17 54f1e6a-54f1e7d 14->17 20 54f1e3a-54f1e3f 15->20 21 54f1e41 15->21 16->15 22 54f1e7f 17->22 23 54f1e80-54f1ebf 17->23 24 54f1e46-54f1e5b call 54f0784 20->24 21->24 22->23 28 54f1ec1-54f1ed5 23->28 29 54f1f00-54f1f0f 23->29 26 54f1e60-54f1e67 24->26 34 54f1ede-54f1efe 28->34 35 54f1ed7 28->35 32 54f1f16-54f1f20 29->32 33 54f1f11-54f1f14 29->33 36 54f244f-54f24da 32->36 37 54f1f26-54f1f81 32->37 33->32 34->29 35->34 50 54f24dc-54f24df 36->50 51 54f24e2-54f2547 CreateNamedPipeW 36->51 52 54f1fbf-54f1fd9 37->52 53 54f1f83-54f1f97 37->53 50->51 56 54f2549-54f254f 51->56 57 54f2550-54f2571 51->57 160 54f1fdb call 1a379b8 52->160 161 54f1fdb call 1a379c8 52->161 59 54f1f99 53->59 60 54f1fa0-54f1fbd 53->60 56->57 59->60 60->52 65 54f1fe0-54f1ff7 66 54f1ffd-54f202f 65->66 67 54f20c0-54f20dd 65->67 71 54f2047-54f204b 66->71 72 54f2031-54f2037 66->72 79 54f20e3-54f2177 67->79 80 54f22f0-54f240b 67->80 76 54f204d-54f2053 71->76 77 54f2059-54f205e 71->77 74 54f203b-54f2045 72->74 75 54f2039 72->75 74->71 75->71 81 54f2057 76->81 82 54f2055 76->82 77->67 78 54f2060-54f20bd 77->78 78->67 107 54f217d-54f21f5 79->107 108 54f23e4-54f23e6 79->108 86 54f240d 80->86 87 54f2416 80->87 81->77 82->77 86->87 87->36 162 54f21fa call 1a37481 107->162 163 54f21fa call 1a37490 107->163 109 54f22df-54f22ea 108->109 110 54f23ec-54f2402 108->110 109->79 109->80 110->109 122 54f21ff-54f222b 122->108 125 54f2231-54f2235 122->125 126 54f224b-54f224d 125->126 127 54f2237-54f2245 125->127 128 54f224f-54f2286 126->128 129 54f228e-54f22d7 126->129 127->126 132 54f2308-54f23dc 127->132 128->129 129->109 132->108 160->65 161->65 162->122 163->122
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4Ljq$d/pq$
                                                                                            • API String ID: 0-2776277539
                                                                                            • Opcode ID: e02e7cdd7efe8dccf9b96003a19245c8887329e31b9a1b60e72564e2551ee873
                                                                                            • Instruction ID: e207e830fdffabde99262c144b57086ae3d1c5e9469b6df081f2696446fadaeb
                                                                                            • Opcode Fuzzy Hash: e02e7cdd7efe8dccf9b96003a19245c8887329e31b9a1b60e72564e2551ee873
                                                                                            • Instruction Fuzzy Hash: 61324A74B002098FCB14DF68D994AAEBBF6FF88300F10846AD50AEB395DB75AD05CB55
                                                                                            Function 01A34C6E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 296 1a34c6e-1a34cb3 301 1a34d02-1a34d08 296->301 302 1a34cb5-1a34cc4 call 1a34848 296->302 305 1a34cc6-1a34ccb 302->305 306 1a34d09-1a34dd8 RtlGetVersion 302->306 318 1a34cce call 1a352e8 305->318 319 1a34cce call 1a352f8 305->319 311 1a34de1-1a34e24 306->311 312 1a34dda-1a34de0 306->312 307 1a34cd4 307->301 316 1a34e26 311->316 317 1a34e2b-1a34e32 311->317 312->311 316->317 318->307 319->307
                                                                                            APIs
                                                                                            • RtlGetVersion.NTDLL(0000009C), ref: 01A34DBE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3907036612.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_1a30000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: Version
                                                                                            • String ID: `Qjq$`Qjq
                                                                                            • API String ID: 1889659487-374821722
                                                                                            • Opcode ID: 203b21ee625315a555a57897b3e75026f39b350c57bfbd128afa35348aea8c14
                                                                                            • Instruction ID: 04e7cfb79b3f1378d624e386b8429b331cc069f5e4a003bb6715e78501284a7d
                                                                                            • Opcode Fuzzy Hash: 203b21ee625315a555a57897b3e75026f39b350c57bfbd128afa35348aea8c14
                                                                                            • Instruction Fuzzy Hash: B7418171E003199FDB60DF68D8187AEBBB5FB85300F0485E9D509A7290DB745E58CF92
                                                                                            Function 05C703C7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 550 5c703c7-5c703cd 551 5c70380-5c7039b 550->551 552 5c703cf-5c7042c 550->552 557 5c703a4 551->557 558 5c7039d-5c703a2 551->558 553 5c70480-5c70503 CreateFileA 552->553 554 5c7042e-5c70453 552->554 568 5c70505-5c7050b 553->568 569 5c7050c-5c7054a 553->569 554->553 561 5c70455-5c70457 554->561 560 5c703a9-5c703b1 557->560 558->560 578 5c703b3 call 5c703c7 560->578 579 5c703b3 call 5c703d0 560->579 562 5c7047a-5c7047d 561->562 563 5c70459-5c70463 561->563 562->553 565 5c70467-5c70476 563->565 566 5c70465 563->566 565->565 570 5c70478 565->570 566->565 567 5c703b8-5c703ba 568->569 574 5c7054c-5c70550 569->574 575 5c7055a 569->575 570->562 574->575 576 5c70552 574->576 577 5c7055b 575->577 576->575 577->577 578->567 579->567
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 05C704ED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3929272178.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_5c70000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID: 4Ljq
                                                                                            • API String ID: 823142352-2677868233
                                                                                            • Opcode ID: 21c885438ebeb69c9233d6d693a016c2e8db7d4bca76701af8878b0569944e69
                                                                                            • Instruction ID: d47d642a657f80f5d7dbc943a8fe43a3ba2a1d086f6e71179768db4116212d0d
                                                                                            • Opcode Fuzzy Hash: 21c885438ebeb69c9233d6d693a016c2e8db7d4bca76701af8878b0569944e69
                                                                                            • Instruction Fuzzy Hash: 3D5168B1E002499FDB10CFA9C949B9EBBF2FB48304F248429E809BB695D7759944CF91
                                                                                            Function 05C703D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 580 5c703d0-5c7042c 581 5c70480-5c70503 CreateFileA 580->581 582 5c7042e-5c70453 580->582 591 5c70505-5c7050b 581->591 592 5c7050c-5c7054a 581->592 582->581 585 5c70455-5c70457 582->585 586 5c7047a-5c7047d 585->586 587 5c70459-5c70463 585->587 586->581 589 5c70467-5c70476 587->589 590 5c70465 587->590 589->589 593 5c70478 589->593 590->589 591->592 597 5c7054c-5c70550 592->597 598 5c7055a 592->598 593->586 597->598 599 5c70552 597->599 600 5c7055b 598->600 599->598 600->600
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 05C704ED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3929272178.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_5c70000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID: 4Ljq
                                                                                            • API String ID: 823142352-2677868233
                                                                                            • Opcode ID: dd8bee9d4bc0051308ab84ae92d767b3953bf5a53b67c0e69450313c16d33ee9
                                                                                            • Instruction ID: e7d46e922d5a7eba09330de6b21b3b9a55f3f32ebed6ee5d7656479f6298e675
                                                                                            • Opcode Fuzzy Hash: dd8bee9d4bc0051308ab84ae92d767b3953bf5a53b67c0e69450313c16d33ee9
                                                                                            • Instruction Fuzzy Hash: 854156B0D0024DDFDB10CFA9C948B9EBBF2FB48304F248529E808AB695D7759944CF91
                                                                                            Function 05C72B40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 601 5c72b40-5c72bcb 607 5c72bcd-5c72bda 601->607 608 5c72bdc-5c72bf4 601->608 607->608 611 5c72bf9-5c72c28 RegDisablePredefinedCache 607->611 609 5c72cb6-5c72ce0 608->609 616 5c72ce2 609->616 617 5c72c6d 609->617 613 5c72c31-5c72c4c call 5c72608 611->613 614 5c72c2a-5c72c30 611->614 625 5c72c51-5c72c69 613->625 614->613 621 5c72cb4 616->621 622 5c72ce4-5c72cf6 616->622 623 5c72c6f 617->623 624 5c72c78 617->624 621->609 623->624 624->621 625->617
                                                                                            APIs
                                                                                            • RegDisablePredefinedCache.ADVAPI32 ref: 05C72C11
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3929272178.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_5c70000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CacheDisablePredefined
                                                                                            • String ID: `Qjq
                                                                                            • API String ID: 1885667121-3473714719
                                                                                            • Opcode ID: 473f31beb67cd203293b9e4b091e4e62ba083fd34c8cd68b7368219c58374441
                                                                                            • Instruction ID: 3c484ef557667ac921316ff0ad3b76823c36daf254ad335e7ad223f9b9f7ec72
                                                                                            • Opcode Fuzzy Hash: 473f31beb67cd203293b9e4b091e4e62ba083fd34c8cd68b7368219c58374441
                                                                                            • Instruction Fuzzy Hash: 6A313874D0020C9BEB14DFA9D944B9EBBB6BF88310F148829E405A7794DBB46945CB51
                                                                                            Function 054F076B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86pipeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 627 54f076b-54f24da 630 54f24dc-54f24df 627->630 631 54f24e2-54f2547 CreateNamedPipeW 627->631 630->631 633 54f2549-54f254f 631->633 634 54f2550-54f2571 631->634 633->634
                                                                                            APIs
                                                                                            • CreateNamedPipeW.KERNEL32(00000000,00000001,00000008,?,?,?,00000001,00000004), ref: 054F2534
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateNamedPipe
                                                                                            • String ID: 4Ljq
                                                                                            • API String ID: 2489174969-2677868233
                                                                                            • Opcode ID: 205da53ec937e108a9931a14b5570b137e405e4d7ef7a95917501df1a61c1a41
                                                                                            • Instruction ID: 867a5d501aa7710b51234aee0861cd032c165d9c9f055e4fd3f99af528627363
                                                                                            • Opcode Fuzzy Hash: 205da53ec937e108a9931a14b5570b137e405e4d7ef7a95917501df1a61c1a41
                                                                                            • Instruction Fuzzy Hash: 203136B68042489FCB10DF99D884BCABFF5FF48314F14806AE958AB261D375A945CFA0
                                                                                            Function 054F2490 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71pipeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 646 54f2490-54f24da 647 54f24dc-54f24df 646->647 648 54f24e2-54f2547 CreateNamedPipeW 646->648 647->648 650 54f2549-54f254f 648->650 651 54f2550-54f2571 648->651 650->651
                                                                                            APIs
                                                                                            • CreateNamedPipeW.KERNEL32(00000000,00000001,00000008,?,?,?,00000001,00000004), ref: 054F2534
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateNamedPipe
                                                                                            • String ID: 4Ljq
                                                                                            • API String ID: 2489174969-2677868233
                                                                                            • Opcode ID: 1a56308a810e38dcad912dd7d2838e6d61c4bf61f27dc6ccdeac3365c2bef558
                                                                                            • Instruction ID: bcdf0c13f4985035f0c09b43c8e00be8f623747d17e1a579041ca5603954ee45
                                                                                            • Opcode Fuzzy Hash: 1a56308a810e38dcad912dd7d2838e6d61c4bf61f27dc6ccdeac3365c2bef558
                                                                                            • Instruction Fuzzy Hash: B23105B5800248DFCB10CF99D988ACEBFF6BF48314F18C46AE959AB221D375A555CF50
                                                                                            Function 054F400F Relevance: 1.6, APIs: 1, Instructions: 79pipeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ConnectNamedPipe.KERNEL32(00000000), ref: 054F40D0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConnectNamedPipe
                                                                                            • String ID:
                                                                                            • API String ID: 2191148154-0
                                                                                            • Opcode ID: 532c755843e069515cb8e87b52148434d06e998376bf5d9fcb3070e72baf6958
                                                                                            • Instruction ID: 8fe30da941dee2429dc5de28061c49a82bfceb398da77b03052a232102e64853
                                                                                            • Opcode Fuzzy Hash: 532c755843e069515cb8e87b52148434d06e998376bf5d9fcb3070e72baf6958
                                                                                            • Instruction Fuzzy Hash: A8312575D142188FDB24CFA9D988BEEBBF5BF48300F14805AE909A7350DB78A945CF90
                                                                                            Function 054F404C Relevance: 1.6, APIs: 1, Instructions: 66pipeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ConnectNamedPipe.KERNEL32(00000000), ref: 054F40D0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConnectNamedPipe
                                                                                            • String ID:
                                                                                            • API String ID: 2191148154-0
                                                                                            • Opcode ID: f5282a24bf64ad2a9b0b75ff5967ae9b34ac7c306d9ab26fe0490597966c003b
                                                                                            • Instruction ID: 66984fc0e1207f9cb51e3c99ed391b492b5b65253577c00a602d34ec49005a16
                                                                                            • Opcode Fuzzy Hash: f5282a24bf64ad2a9b0b75ff5967ae9b34ac7c306d9ab26fe0490597966c003b
                                                                                            • Instruction Fuzzy Hash: FA2104B1D042589FCB24CFA9C584BDEBBF5AF08300F14805AE949BB351DB799945CFA0
                                                                                            Function 054F4058 Relevance: 1.6, APIs: 1, Instructions: 65pipeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ConnectNamedPipe.KERNEL32(00000000), ref: 054F40D0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConnectNamedPipe
                                                                                            • String ID:
                                                                                            • API String ID: 2191148154-0
                                                                                            • Opcode ID: c0c9e56ed98337f5c9aaffbe9ade61d354ef834cca042e95b6267469b671ab46
                                                                                            • Instruction ID: 2f284d80223c01c81ec02848e99e49020533fbf380c136ba85821f31dec0c497
                                                                                            • Opcode Fuzzy Hash: c0c9e56ed98337f5c9aaffbe9ade61d354ef834cca042e95b6267469b671ab46
                                                                                            • Instruction Fuzzy Hash: E22104B0D042589FCB24CFAAC584ADEBBF5AF08300F14806AE909B7350DB749945CFA0
                                                                                            Function 054F5BE0 Relevance: 1.6, APIs: 1, Instructions: 60pipeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitNamedPipeW.KERNEL32(00000000), ref: 054F5C4F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: NamedPipeWait
                                                                                            • String ID:
                                                                                            • API String ID: 3146367894-0
                                                                                            • Opcode ID: a758c326fab75f193afd5393f94b6f458ec3504c754d18620a864454615dda85
                                                                                            • Instruction ID: 85e568b47399ecdd74fb667623b1f82389f2301362a83d775e83d6da83c0219c
                                                                                            • Opcode Fuzzy Hash: a758c326fab75f193afd5393f94b6f458ec3504c754d18620a864454615dda85
                                                                                            • Instruction Fuzzy Hash: 092127B68002498FCB20CF9AC444AEEBBF4FB48314F15846ED559A7240C779A545CFA5
                                                                                            Function 054F5BE8 Relevance: 1.6, APIs: 1, Instructions: 56pipeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitNamedPipeW.KERNEL32(00000000), ref: 054F5C4F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3928493340.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_54f0000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: NamedPipeWait
                                                                                            • String ID:
                                                                                            • API String ID: 3146367894-0
                                                                                            • Opcode ID: 9b060f91b3c0186b4f650669b961c789f835abfad07bff4a2989da2ab7bc99ec
                                                                                            • Instruction ID: 6da19c9cd9cd58f15055360906b705583f2bce6687fb2443fbccaec06c8a63fd
                                                                                            • Opcode Fuzzy Hash: 9b060f91b3c0186b4f650669b961c789f835abfad07bff4a2989da2ab7bc99ec
                                                                                            • Instruction Fuzzy Hash: 152106B68003498FCB20CF9AC444AEEBBF4FB48314F15846ED559A7640C779A545CFA5
                                                                                            Function 012DD670 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3906143539.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_12dd000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 38dcfc59df25274d3f9cfdf4f70fb819f99546e357e04d0c8c88ff3723cc122b
                                                                                            • Instruction ID: fd52607d2e792b159ea9a519d0d66d6526a3a045a4c99c69b1af16ca2a519ae7
                                                                                            • Opcode Fuzzy Hash: 38dcfc59df25274d3f9cfdf4f70fb819f99546e357e04d0c8c88ff3723cc122b
                                                                                            • Instruction Fuzzy Hash: 9D216771550688DFDB0ADF98D9C0F26BF65FB88310F20C5A9E9090B296C37AD406CBE1
                                                                                            Function 012DD66B Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3906143539.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_12dd000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                            • Instruction ID: eaa667caa4b4bb8ce1926783a48794c92f0be2efa35e00fd9e19f5a5aeed1995
                                                                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                            • Instruction Fuzzy Hash: 7011D376504684CFDB16CF54D9C4B16BF72FB88324F24C6A9D9090B257C336D45ACBA2
                                                                                            Function 012DD01D Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3906143539.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_12dd000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7f271c9baac42ceefa5a4507f72058f7f903f520832f143306ebe085d2e21c75
                                                                                            • Instruction ID: a79893e96413744894caff608453240a592618804eb9f11d18a54b8c82180f53
                                                                                            • Opcode Fuzzy Hash: 7f271c9baac42ceefa5a4507f72058f7f903f520832f143306ebe085d2e21c75
                                                                                            • Instruction Fuzzy Hash: B2012B310147489AE7209F69CC84B67FF9CEFC53A5F18C429EE490B2C6C2799801CBB1
                                                                                            Function 012DD006 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.3906143539.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_12dd000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b1a38745716890f1b0ca090804dc3277c75b869b76e781fb0ccf59c9f9f568c9
                                                                                            • Instruction ID: 1a7a754b2369ca7d3e7da58bf2b6f7bf8f06efee1e3891857e43436628a1469f
                                                                                            • Opcode Fuzzy Hash: b1a38745716890f1b0ca090804dc3277c75b869b76e781fb0ccf59c9f9f568c9
                                                                                            • Instruction Fuzzy Hash: 71015E7140E3C49ED7128B25C894B52BFB4EF53225F1981DBD9888F2E7C2699844C772

                                                                                            Execution Graph

                                                                                            Execution Coverage:8.5%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:5
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 20743 7ff848a88014 20745 7ff848a8801d 20743->20745 20744 7ff848a88082 20745->20744 20746 7ff848a880f6 SetProcessMitigationPolicy 20745->20746 20747 7ff848a88152 20746->20747

                                                                                            Executed Functions

                                                                                            Function 00007FF848D99355 Relevance: 7.3, Strings: 4, Instructions: 2320COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8/H$8/H$@*H$X$H
                                                                                            • API String ID: 0-4205344115
                                                                                            • Opcode ID: 299d4d01424d9b7efbcbdbe34fe620ed8bc5cfd558aa69bc0dc3223db7543a7b
                                                                                            • Instruction ID: c8312783940e40daeb092d9794ecab054235f2f5884288abee42b73df8cdbb8e
                                                                                            • Opcode Fuzzy Hash: 299d4d01424d9b7efbcbdbe34fe620ed8bc5cfd558aa69bc0dc3223db7543a7b
                                                                                            • Instruction Fuzzy Hash: 6D136930E09A198FEBA9EB28C8947A8B7B1FF58344F5041B9D40DD7292DF35AD85CB44
                                                                                            Function 00007FF848D976FA Relevance: 2.0, Strings: 1, Instructions: 767COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 665 7ff848d976fa-7ff848d97716 668 7ff848d97718-7ff848d9771a 665->668 669 7ff848d97764-7ff848d9776e 668->669 670 7ff848d9771c-7ff848d9772a 668->670 672 7ff848d97774-7ff848d97790 669->672 670->672 673 7ff848d9772c-7ff848d97749 670->673 679 7ff848d97792-7ff848d977a0 672->679 680 7ff848d977a5 672->680 673->668 681 7ff848d9774b-7ff848d9775e 673->681 679->680 683 7ff848d977a6 680->683 684 7ff848d977a7-7ff848d977b2 680->684 681->669 683->684 688 7ff848d977b4-7ff848d977c2 684->688 689 7ff848d977fc 684->689 693 7ff848d977c4-7ff848d977fa 688->693 694 7ff848d9780c-7ff848d9781a 688->694 691 7ff848d97846-7ff848d97856 689->691 692 7ff848d977fe-7ff848d97809 689->692 700 7ff848d97858-7ff848d9785a 691->700 701 7ff848d9785c-7ff848d9786a 691->701 692->694 693->689 697 7ff848d97820-7ff848d9783e call 7ff848d90c30 * 2 694->697 698 7ff848d97c28-7ff848d97c46 call 7ff848d90c30 * 2 694->698 714 7ff848d97844-7ff848d97845 697->714 715 7ff848d97abe-7ff848d97adc call 7ff848d90c30 * 2 697->715 716 7ff848d97d52-7ff848d97d5d 698->716 717 7ff848d97c4c-7ff848d97c53 698->717 705 7ff848d9786d-7ff848d97882 700->705 701->705 718 7ff848d97884-7ff848d97886 705->718 719 7ff848d97888-7ff848d978ac call 7ff848d974d0 * 2 705->719 714->691 740 7ff848d97b06-7ff848d97b24 call 7ff848d90c30 * 2 715->740 741 7ff848d97ade-7ff848d97ae8 715->741 721 7ff848d97c55-7ff848d97c64 717->721 722 7ff848d97c66-7ff848d97c68 717->722 723 7ff848d978af-7ff848d978c4 718->723 719->723 721->722 737 7ff848d97c6a 721->737 726 7ff848d97c6f-7ff848d97c93 722->726 735 7ff848d978c6-7ff848d978c8 723->735 736 7ff848d978ca-7ff848d978ee call 7ff848d974d0 * 2 723->736 738 7ff848d97c95-7ff848d97cb2 726->738 739 7ff848d97cdf-7ff848d97cee 726->739 742 7ff848d978f1-7ff848d97906 735->742 736->742 737->726 750 7ff848d97cb8-7ff848d97cdd 738->750 751 7ff848d97d5e-7ff848d97dd7 738->751 739->716 767 7ff848d97b2a-7ff848d97b35 740->767 768 7ff848d97bdb-7ff848d97be6 740->768 745 7ff848d97aea-7ff848d97afa 741->745 746 7ff848d97afc 741->746 758 7ff848d97908-7ff848d9790a 742->758 759 7ff848d9790c-7ff848d97930 call 7ff848d974d0 742->759 753 7ff848d97afe-7ff848d97aff 745->753 746->753 750->739 778 7ff848d97e20-7ff848d97e76 751->778 779 7ff848d97dd9-7ff848d97e1d 751->779 753->740 765 7ff848d97933-7ff848d97941 758->765 759->765 774 7ff848d97943-7ff848d97945 765->774 775 7ff848d97947-7ff848d97955 765->775 780 7ff848d97b37-7ff848d97b39 767->780 781 7ff848d97b3b-7ff848d97b4a 767->781 783 7ff848d97be8-7ff848d97bea 768->783 784 7ff848d97bec-7ff848d97bfb 768->784 782 7ff848d97958-7ff848d97961 774->782 775->782 801 7ff848d97e78-7ff848d97e79 778->801 802 7ff848d97e7c-7ff848d97ea0 778->802 832 7ff848d97e1e 779->832 786 7ff848d97b4d-7ff848d97b81 780->786 781->786 805 7ff848d97968-7ff848d9796f 782->805 788 7ff848d97bfe-7ff848d97c00 783->788 784->788 786->768 798 7ff848d97b83-7ff848d97b91 786->798 788->716 796 7ff848d97c06-7ff848d97c27 788->796 803 7ff848d97b93-7ff848d97b9b 798->803 804 7ff848d97ba4-7ff848d97bac 798->804 801->802 823 7ff848d97ed2-7ff848d97edb 802->823 824 7ff848d97ea2-7ff848d97eb1 802->824 807 7ff848d97bad-7ff848d97bae 803->807 808 7ff848d97b9d-7ff848d97ba2 803->808 804->807 809 7ff848d97bbe-7ff848d97bd1 804->809 805->715 810 7ff848d97975-7ff848d9797c 805->810 814 7ff848d97bb3-7ff848d97bbd call 7ff848d97508 807->814 808->814 809->768 810->715 815 7ff848d97982-7ff848d97999 810->815 814->809 826 7ff848d9799b-7ff848d979ad 815->826 827 7ff848d979ce-7ff848d979d9 815->827 829 7ff848d97eb3-7ff848d97eb4 824->829 830 7ff848d97eb7-7ff848d97ed1 824->830 835 7ff848d979b3-7ff848d979c1 826->835 836 7ff848d979af-7ff848d979b1 826->836 837 7ff848d979db-7ff848d979dd 827->837 838 7ff848d979df-7ff848d979ee 827->838 829->830 832->832 839 7ff848d979c4-7ff848d979c7 835->839 836->839 841 7ff848d979f1-7ff848d979f3 837->841 838->841 839->827 843 7ff848d97aa8-7ff848d97abd 841->843 844 7ff848d979f9-7ff848d97a10 841->844 843->715 844->843 849 7ff848d97a16-7ff848d97a33 844->849 852 7ff848d97a35-7ff848d97a3d 849->852 853 7ff848d97a3f 849->853 854 7ff848d97a41-7ff848d97a43 852->854 853->854 854->843 855 7ff848d97a45-7ff848d97a4f 854->855 857 7ff848d97a51-7ff848d97a5b call 7ff848d94688 855->857 858 7ff848d97a5d-7ff848d97a65 855->858 857->715 857->858 860 7ff848d97a93-7ff848d97aa6 call 7ff848d974f8 858->860 861 7ff848d97a67-7ff848d97a8c call 7ff848d95d10 858->861 860->715 861->860
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: U!_H
                                                                                            • API String ID: 0-2705097826
                                                                                            • Opcode ID: 28562792aa8028db80425cf28bf1c246be1bba21152ae4eacfc970348bafe729
                                                                                            • Instruction ID: 7c602aeb65cc2301c81febd47d2fe8fb9e7f26513ea795da939103d551c3c19b
                                                                                            • Opcode Fuzzy Hash: 28562792aa8028db80425cf28bf1c246be1bba21152ae4eacfc970348bafe729
                                                                                            • Instruction Fuzzy Hash: FE32E031E1EA564FE799FB2894557F927D2EF94398F14007AC04EC72D3DF28A80A8359
                                                                                            Function 00007FF848D9C903 Relevance: 5.2, Strings: 4, Instructions: 179COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 434 7ff848d9c903-7ff848d9c912 436 7ff848d9c930-7ff848d9c932 434->436 437 7ff848d9c914-7ff848d9c922 434->437 440 7ff848d9c933-7ff848d9c93f 436->440 441 7ff848d9c97c-7ff848d9c9a5 436->441 438 7ff848d9c940-7ff848d9c945 437->438 439 7ff848d9c924-7ff848d9c92a 437->439 442 7ff848d9c948-7ff848d9c957 438->442 439->442 443 7ff848d9c92c-7ff848d9c92f 439->443 440->438 451 7ff848d9c9a7-7ff848d9c9b2 441->451 452 7ff848d9c9eb-7ff848d9ca00 441->452 450 7ff848d9c962-7ff848d9c97a 442->450 443->436 450->441 458 7ff848d9c9b4-7ff848d9c9e9 451->458 459 7ff848d9ca0f-7ff848d9ca2f 451->459 456 7ff848d9ca87-7ff848d9ca90 452->456 457 7ff848d9ca06-7ff848d9ca0e 452->457 457->459 458->452 466 7ff848d9ca31-7ff848d9ca73 459->466 467 7ff848d9ca75 459->467 466->467 468 7ff848d9ca76-7ff848d9ca83 467->468 471 7ff848d9ca85 468->471 471->456
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: h`H$h`H$paH$paH
                                                                                            • API String ID: 0-2843909100
                                                                                            • Opcode ID: c0e01aa29ed05605e710849ccd552bb92dec75ca194ebac951ce14087de0d883
                                                                                            • Instruction ID: c21f7e9b6531fd56821df5ea700db947098571dbb2d0cc668b00d89b1e27e1eb
                                                                                            • Opcode Fuzzy Hash: c0e01aa29ed05605e710849ccd552bb92dec75ca194ebac951ce14087de0d883
                                                                                            • Instruction Fuzzy Hash: 05414792F1ED9B6FE694FB3D5C5A7B823C1EB986A9F540075C00CC3287DF18A8464285
                                                                                            Function 00007FF848D9C8D7 Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 475 7ff848d9c8d7-7ff848d9c8d9 476 7ff848d9c956-7ff848d9c958 475->476 477 7ff848d9c8db-7ff848d9c8de 475->477 480 7ff848d9c962-7ff848d9c9a5 476->480 478 7ff848d9c8e0-7ff848d9c8e6 477->478 479 7ff848d9c8ea-7ff848d9c8ef 477->479 478->479 481 7ff848d9c8f1-7ff848d9c8fe 478->481 479->481 489 7ff848d9c9a7-7ff848d9c9b2 480->489 490 7ff848d9c9eb-7ff848d9ca00 480->490 495 7ff848d9c9b4-7ff848d9c9e9 489->495 496 7ff848d9ca0f-7ff848d9ca2f 489->496 493 7ff848d9ca87-7ff848d9ca90 490->493 494 7ff848d9ca06-7ff848d9ca0e 490->494 494->496 495->490 502 7ff848d9ca31-7ff848d9ca73 496->502 503 7ff848d9ca75 496->503 502->503 504 7ff848d9ca76-7ff848d9ca83 503->504 507 7ff848d9ca85 504->507 507->493
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: h`H$h`H$paH$paH
                                                                                            • API String ID: 0-2843909100
                                                                                            • Opcode ID: 7d2acaf2f613ed8263f2553c216de1c15923dd214412e0f0f5e8530e3cfa9edb
                                                                                            • Instruction ID: 13e64750014207eaf79ecc02cb420c36d998c0e3b48197711fa6f0afe4b34b5e
                                                                                            • Opcode Fuzzy Hash: 7d2acaf2f613ed8263f2553c216de1c15923dd214412e0f0f5e8530e3cfa9edb
                                                                                            • Instruction Fuzzy Hash: 29416882F1EA8B5FE684FB7918562B863D1EF947A8F540075D00DC328BEE1CAD064385
                                                                                            Function 00007FF848D9C8BF Relevance: 5.1, Strings: 4, Instructions: 142COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 511 7ff848d9c8bf-7ff848d9c955 514 7ff848d9c957 511->514 515 7ff848d9c962-7ff848d9c9a5 514->515 521 7ff848d9c9a7-7ff848d9c9b2 515->521 522 7ff848d9c9eb-7ff848d9ca00 515->522 527 7ff848d9c9b4-7ff848d9c9e9 521->527 528 7ff848d9ca0f-7ff848d9ca2f 521->528 525 7ff848d9ca87-7ff848d9ca90 522->525 526 7ff848d9ca06-7ff848d9ca0e 522->526 526->528 527->522 534 7ff848d9ca31-7ff848d9ca73 528->534 535 7ff848d9ca75 528->535 534->535 536 7ff848d9ca76-7ff848d9ca83 535->536 539 7ff848d9ca85 536->539 539->525
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: h`H$h`H$paH$paH
                                                                                            • API String ID: 0-2843909100
                                                                                            • Opcode ID: 9355e0c8bb119549f7203f64fd7425eb42659844d80619c0d8b31676d30e583d
                                                                                            • Instruction ID: 680ba5d12adc0fa08eeb90699b1481a5961450057256a9b95525b2448fa96123
                                                                                            • Opcode Fuzzy Hash: 9355e0c8bb119549f7203f64fd7425eb42659844d80619c0d8b31676d30e583d
                                                                                            • Instruction Fuzzy Hash: 22411791F1DD9A9FE694FB2D58567B862D1FF98694F600075C40CC3287DE18A8464285
                                                                                            Function 00007FF848D9BFC0 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: DH$FH
                                                                                            • API String ID: 0-513070443
                                                                                            • Opcode ID: 6b2371c8d3e173de77313706124ff2d6684e6e0901cfca74a411b7d70720a54c
                                                                                            • Instruction ID: cc1fe496397e3b68e7e857d176abdddfbbce4ea495220846fbb66d308ff229d3
                                                                                            • Opcode Fuzzy Hash: 6b2371c8d3e173de77313706124ff2d6684e6e0901cfca74a411b7d70720a54c
                                                                                            • Instruction Fuzzy Hash: C7516761A0EACB4FE796AB3CA855A753BD0EF95288F0801FBC04DC7197DF18A8098345
                                                                                            Function 00007FF848A88014 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3927248799.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848a80000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID: MitigationPolicyProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1088084561-0
                                                                                            • Opcode ID: 5dd60eb1eebfa6b246ba4b318dc7cf3600e33a7ed4a66e56a4dd7562779ed599
                                                                                            • Instruction ID: cb8f4a5d562f262bf1c3de2a7d28fa0a99609456b0bef4c61617adc1f94403ca
                                                                                            • Opcode Fuzzy Hash: 5dd60eb1eebfa6b246ba4b318dc7cf3600e33a7ed4a66e56a4dd7562779ed599
                                                                                            • Instruction Fuzzy Hash: 7E41283190CB588FDB15EFA8984A5E97BF0EF55350F04017EE449C3292DF68A846C7A2
                                                                                            Function 00007FF848D9B5AD Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @*H
                                                                                            • API String ID: 0-1553558910
                                                                                            • Opcode ID: 18647f7d1b507a11eefa38f8e9c9bb45d1d1550420ecb4e2fb96be9c69cb8871
                                                                                            • Instruction ID: 8e3e8b7e60f97911179f59ce6290ababd57cb3ff6967684022ff82014003966f
                                                                                            • Opcode Fuzzy Hash: 18647f7d1b507a11eefa38f8e9c9bb45d1d1550420ecb4e2fb96be9c69cb8871
                                                                                            • Instruction Fuzzy Hash: B311E521E1EDA79FE658BA38841537533D1FF44788F5541BAC049C718ADF29BC064748
                                                                                            Function 00007FF848D9B5CE Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @*H
                                                                                            • API String ID: 0-1553558910
                                                                                            • Opcode ID: 0be84c4982573886fcb9db0ce1f4bfb623ba8f016bebe7e65df02c721f236ef4
                                                                                            • Instruction ID: 8cff96d7692cbdfee9a424de0e00d1f2363616111ad226671b5fdbd3a771b77d
                                                                                            • Opcode Fuzzy Hash: 0be84c4982573886fcb9db0ce1f4bfb623ba8f016bebe7e65df02c721f236ef4
                                                                                            • Instruction Fuzzy Hash: 8001D221E1EDAB9FE698BA2C841937433D2FF44788F5441B9C00DC7186DF29BC064784
                                                                                            Function 00007FF848D9DC10 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PfH
                                                                                            • API String ID: 0-3259816621
                                                                                            • Opcode ID: 8248921c8cb354d1ef1ae9725e9169646aaf0b7613c28f56331d347163aab3f5
                                                                                            • Instruction ID: 362c6781adc73b0bc9a9044bb474b627ff4730b8edf5185e0eb21275e7171cd4
                                                                                            • Opcode Fuzzy Hash: 8248921c8cb354d1ef1ae9725e9169646aaf0b7613c28f56331d347163aab3f5
                                                                                            • Instruction Fuzzy Hash: 86014C71E099298EDBA4FA2CD8997F873B1EF58784F0001F9D10DD3195DF35A9858B40
                                                                                            Function 00007FF848D96591 Relevance: .6, Instructions: 609COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cedc8e59f5499aaee49736c176c3568f12df0a3ecf57a9113e593cad5c701784
                                                                                            • Instruction ID: 21a5d8fe649a9a7ac6caac1983f6df54c7467aa47d1f0cc69ef71db0d2ce637f
                                                                                            • Opcode Fuzzy Hash: cedc8e59f5499aaee49736c176c3568f12df0a3ecf57a9113e593cad5c701784
                                                                                            • Instruction Fuzzy Hash: C3023621D0E99B4FE7A5BA2868513F937D1EF457D8F1840BAD44D8B1C7EF2CA80A8345
                                                                                            Function 00007FF848D90031 Relevance: .6, Instructions: 598COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 26c1ffeb3fb3eb4fe92b73f24ea788feb10058e105e2a92e956a0a31287c6d99
                                                                                            • Instruction ID: 43891c27e97f71f342609ae44f7dd3703d41d3025bd8cbecc22f7783ccd8a038
                                                                                            • Opcode Fuzzy Hash: 26c1ffeb3fb3eb4fe92b73f24ea788feb10058e105e2a92e956a0a31287c6d99
                                                                                            • Instruction Fuzzy Hash: ED022531A0EA8A8FE799FA2CA8557B537D1FF58384F0400B9D44DCB283DF28AC498355
                                                                                            Function 00007FF848D905F2 Relevance: .5, Instructions: 536COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b61ee1895352fa9c2b67e287f86cd1c3276fd3076d30ef3d98c116ca31a81d2b
                                                                                            • Instruction ID: 576e66b114bf0346fba2618d72d399e16e0dfe57adfd0ab0a1703c78475c602b
                                                                                            • Opcode Fuzzy Hash: b61ee1895352fa9c2b67e287f86cd1c3276fd3076d30ef3d98c116ca31a81d2b
                                                                                            • Instruction Fuzzy Hash: C802BF35A0DA498FEA88FE2CD495AA473E1FF64348F2409B9C059CF197DB25EC46CB44
                                                                                            Function 00007FF848D906FA Relevance: .4, Instructions: 353COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 23afb603b5c04ab151394184f97a183c870d7bcee67cb112e6fde146b27c9674
                                                                                            • Instruction ID: 45f16e41d92239767d2eb4bc9f6aecf4a558f6845e2ea6ece3f53e99990018c5
                                                                                            • Opcode Fuzzy Hash: 23afb603b5c04ab151394184f97a183c870d7bcee67cb112e6fde146b27c9674
                                                                                            • Instruction Fuzzy Hash: BBC1DD3460DA098FDADCEF18C095A6573E1FF64348B6509ACD05ACF297DB25F846CB44
                                                                                            Function 00007FF848D9075F Relevance: .3, Instructions: 343COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aba311b3e9f4509537d0c239f7773b41e2cabbdc5869f6d696bfa80d560e06fc
                                                                                            • Instruction ID: 5f8178f292637fff04bfe9dc742ce171f719ccf4e6c9fe99924a4b2f1cde42fe
                                                                                            • Opcode Fuzzy Hash: aba311b3e9f4509537d0c239f7773b41e2cabbdc5869f6d696bfa80d560e06fc
                                                                                            • Instruction Fuzzy Hash: BBC1CF3460DA098FDADCEF18C095A65B3E1FF68348B6409ACD05ACF297CB25F846CB44
                                                                                            Function 00007FF848D951BD Relevance: .3, Instructions: 335COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cbd1feb719bda59dc5d3cf4a3f36e4dfaf0e23f02eeb8488995c090855ac2611
                                                                                            • Instruction ID: a100e6a396c698011f7a7069a55fee55f142dd339bffa58fd981a575d46bd4b2
                                                                                            • Opcode Fuzzy Hash: cbd1feb719bda59dc5d3cf4a3f36e4dfaf0e23f02eeb8488995c090855ac2611
                                                                                            • Instruction Fuzzy Hash: 9EB1BC3460DB098FDADCEF18C095A6577E2FF68744B6509ACD019CB29BCB25F846CB44
                                                                                            Function 00007FF848D956C9 Relevance: .3, Instructions: 301COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 068df7dfe2e727820825353f4f892749e43e69a481f4b152d5c6116dec6febf4
                                                                                            • Instruction ID: 65b0f88d017f5f46d7b2330779943cd116f9c6f9ea9dc6182685154b5a242338
                                                                                            • Opcode Fuzzy Hash: 068df7dfe2e727820825353f4f892749e43e69a481f4b152d5c6116dec6febf4
                                                                                            • Instruction Fuzzy Hash: 5B913A32D0E98B5FEB58FA2894515B53BF0EF517A4F1402BAC44EC7582EF18B90AC785
                                                                                            Function 00007FF848D93EE0 Relevance: .3, Instructions: 288COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ead50e0998d1ee343500a32b34a6a3c381061c0e9ed653e236421079d8a6c64b
                                                                                            • Instruction ID: 37b216af433aebca1ff16ff0dc38e7f1a1cc0e87a1cd7a526a547dcf87a86b36
                                                                                            • Opcode Fuzzy Hash: ead50e0998d1ee343500a32b34a6a3c381061c0e9ed653e236421079d8a6c64b
                                                                                            • Instruction Fuzzy Hash: A5A18634A0DA4A8FDBDCEF28C4557A177A2FF59348B2405E9C059CB69BCB25E846C740
                                                                                            Function 00007FF848D9B28A Relevance: .2, Instructions: 214COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8e64efcce6f0ee8f140b723ae6be11e0bd77544036e1eb9cd58782d5151930f7
                                                                                            • Instruction ID: 1cf167665766caa81ead97c0d670529fc201cb2ad7005394157eb923a827d917
                                                                                            • Opcode Fuzzy Hash: 8e64efcce6f0ee8f140b723ae6be11e0bd77544036e1eb9cd58782d5151930f7
                                                                                            • Instruction Fuzzy Hash: 7F617B30B1E95A9FEB88FB2C8455BB973E2EF98784F5500B5D00DC3296CE38AD418745
                                                                                            Function 00007FF848D967A4 Relevance: .2, Instructions: 210COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d459633cfdde25568f4b1752a39a3e20ca0298ce2772575acae23dba9f47aacb
                                                                                            • Instruction ID: c5e8171a6928893396df8d658da8b774879105092095b3b84da971eb54c50a22
                                                                                            • Opcode Fuzzy Hash: d459633cfdde25568f4b1752a39a3e20ca0298ce2772575acae23dba9f47aacb
                                                                                            • Instruction Fuzzy Hash: E251165290E5D61FE746BB7C78622F93BA0DF466B8F0801B6D48CCB0E7EE18550A8395
                                                                                            Function 00007FF848D92766 Relevance: .2, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 76ada906afe3e1bd4e0a8aac77d2cd4c14e004c9e19acfb7382eb481540f6190
                                                                                            • Instruction ID: e166a67def4c21900ba5a899ccdaf9d931dc6fc21e8dc875c729fe601489291e
                                                                                            • Opcode Fuzzy Hash: 76ada906afe3e1bd4e0a8aac77d2cd4c14e004c9e19acfb7382eb481540f6190
                                                                                            • Instruction Fuzzy Hash: 4D51A371A0D98A8FEBC8EE289455BA533D1FF58754F0400A9C45EDB286DF35EC068B84
                                                                                            Function 00007FF848D9CDCF Relevance: .2, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fb50829f67a6880009a442b23060040d01a5a623436182a54848339c6640e92f
                                                                                            • Instruction ID: cbd299a4ccead51314e79d6a700f11dfb124c802ac024025586c9befddc61c56
                                                                                            • Opcode Fuzzy Hash: fb50829f67a6880009a442b23060040d01a5a623436182a54848339c6640e92f
                                                                                            • Instruction Fuzzy Hash: FF51D272D0E6994FE751FB2C98A52E97BB0EF42354F0401FBC489C7193EB28294A8755
                                                                                            Function 00007FF848D93919 Relevance: .2, Instructions: 170COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 95fa1e0bcde5d3329ac9ba334d65bfd3ae6e985fe2ebc4bdf2b418c74ee35a71
                                                                                            • Instruction ID: 9f07f05a3ccfdf5aa99ad0528b5f12ef00e13bf3e4884952a650a656cddd2558
                                                                                            • Opcode Fuzzy Hash: 95fa1e0bcde5d3329ac9ba334d65bfd3ae6e985fe2ebc4bdf2b418c74ee35a71
                                                                                            • Instruction Fuzzy Hash: AB518A6194EBC21FE31793784865B517FA19E171A8B1D02DAC0D4CF1F7EA9E944AC322
                                                                                            Function 00007FF848D96C4B Relevance: .2, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2823587d9528b6569d631ef9a6ab1bbf66b95a376d097cb49092245e5ed399e5
                                                                                            • Instruction ID: e0dc465746e14c74691a600faae9a627208827388574aea4ac78a8e79db0d115
                                                                                            • Opcode Fuzzy Hash: 2823587d9528b6569d631ef9a6ab1bbf66b95a376d097cb49092245e5ed399e5
                                                                                            • Instruction Fuzzy Hash: FC513371D1E98A5FE799BE28A8417F43790FF10B88F04407DD41ECB187EF28A84A8384
                                                                                            Function 00007FF848D90852 Relevance: .1, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 692fec2d340f773d8c73b4d71f0d2c200ceabd392c4f51cf1f8dbec63626dba0
                                                                                            • Instruction ID: 6af6ceee859695d00efc7e55c748635241f521e5844c8543ec9f447caede011f
                                                                                            • Opcode Fuzzy Hash: 692fec2d340f773d8c73b4d71f0d2c200ceabd392c4f51cf1f8dbec63626dba0
                                                                                            • Instruction Fuzzy Hash: 8A51A873D0FAD25FF355BB38A8A91A47BA0EF13698F0D01F6C0858B0A3EB18594D8755
                                                                                            Function 00007FF848D960E9 Relevance: .1, Instructions: 143COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e0eaa288d02985e82944c5b313e38d44934252d23ff275b3b13d4aa82c034c44
                                                                                            • Instruction ID: d3d2a6f058fc4326260830eced20191eab6c5576e8701bb3bc06e337a273c33b
                                                                                            • Opcode Fuzzy Hash: e0eaa288d02985e82944c5b313e38d44934252d23ff275b3b13d4aa82c034c44
                                                                                            • Instruction Fuzzy Hash: 2A418670A0CA4A8FDB88DF24D8A4A653791FF59318F1401ADD41EC72D2DB35D856CB40
                                                                                            Function 00007FF848D94461 Relevance: .1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e8e6d7a037802c0fabb4148088260ba90bfb4379df6572e772668feebd197c7b
                                                                                            • Instruction ID: b46fcbd6b623243a8c5599c0db2d488fb3e3c1dc89173ba4b94d4f2e92fc04c8
                                                                                            • Opcode Fuzzy Hash: e8e6d7a037802c0fabb4148088260ba90bfb4379df6572e772668feebd197c7b
                                                                                            • Instruction Fuzzy Hash: 7331A022E0ED894FE799BA3C54857B423D2EF69798F4401BAD00DC7297EE59AC0A8345
                                                                                            Function 00007FF848D993B6 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a5708fade10ffc916fdf478ed7192d33a2906cfe134181e646653add899cbb60
                                                                                            • Instruction ID: d5165c3c1211e3b1b8d4801d7e867bb4891b706f26f460d78fe3c0bfc30ea570
                                                                                            • Opcode Fuzzy Hash: a5708fade10ffc916fdf478ed7192d33a2906cfe134181e646653add899cbb60
                                                                                            • Instruction Fuzzy Hash: A4412471E1EA8A9FEB96EB2888687B43BE1FF55748F5400B9D00CC729ADF359805C705
                                                                                            Function 00007FF848D9BCD5 Relevance: .1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1ba9658dff6e13b9d4575c9946af56f789826d5f59dbfe5dd825141fe90e3445
                                                                                            • Instruction ID: 677f5c56974da56cc3a7cbc25d802e3760cd0820f8f38b402e8732c248f7c0e3
                                                                                            • Opcode Fuzzy Hash: 1ba9658dff6e13b9d4575c9946af56f789826d5f59dbfe5dd825141fe90e3445
                                                                                            • Instruction Fuzzy Hash: 55312431A1DE1A8FE785FB2C98956B873D1FF94794F54027AC40EC3296DF28E8428381
                                                                                            Function 00007FF848D926DE Relevance: .1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3ce1ca71bb73f0c1b1cb3909a45173590ef9a3f237204899f9eb102e595180f4
                                                                                            • Instruction ID: 336fb6975f434b0bad28dc3e9433fa62559bb0827aa6aa2dd55da2d4f135a0ac
                                                                                            • Opcode Fuzzy Hash: 3ce1ca71bb73f0c1b1cb3909a45173590ef9a3f237204899f9eb102e595180f4
                                                                                            • Instruction Fuzzy Hash: 49314971D0D98A5FEA5CBA2CA806AB573D1FF94794F140079E40DC3287EF25F8074285
                                                                                            Function 00007FF848D9CDFB Relevance: .1, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 43af9676ea2ec6a45553a4d4d9c8f34a65407cfc91649dd5c35608726cec45b8
                                                                                            • Instruction ID: fb44181afbb35c9c06010ed8561df2bdc89c52eba46bec8d878d77844ba02d60
                                                                                            • Opcode Fuzzy Hash: 43af9676ea2ec6a45553a4d4d9c8f34a65407cfc91649dd5c35608726cec45b8
                                                                                            • Instruction Fuzzy Hash: EE318E63D0E5D55FE351FB7CA4E61F97BB0DF41668F0801B7D48987093EF14254A4254
                                                                                            Function 00007FF848D9CDD7 Relevance: .1, Instructions: 109COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cd01525c3a8c266b27d8d7c4efc23829b0849bb3668041c41fdcbbd771aca67b
                                                                                            • Instruction ID: 0f7a253eccda8f6d819612c9db20dd0b1749208109db27fb2ee15cf84b0c5b25
                                                                                            • Opcode Fuzzy Hash: cd01525c3a8c266b27d8d7c4efc23829b0849bb3668041c41fdcbbd771aca67b
                                                                                            • Instruction Fuzzy Hash: 2B31A5A3D0E6D94FE311FB7CA8A61F97BB0EF416A8F0801B7D4898B093EF14254E4654
                                                                                            Function 00007FF848D908FA Relevance: .1, Instructions: 103COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ea4d102481e63dbe89f58684ecdbe047d17b65bfd372aeb0553a8072f06eb9a2
                                                                                            • Instruction ID: 045b7151bf4bd9106a65a1f1624b69daeaf367ca160695613f7f7779bff4fba2
                                                                                            • Opcode Fuzzy Hash: ea4d102481e63dbe89f58684ecdbe047d17b65bfd372aeb0553a8072f06eb9a2
                                                                                            • Instruction Fuzzy Hash: 6F31EB7280E9D65FF745BB3CE8A9554BB60EF12768F0D01B6C0858B063EB18294EC715
                                                                                            Function 00007FF848D912CF Relevance: .1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c87b51215917fe438d0c0ddf141f27f461baa289580907d63a7a87f3a0d78ea4
                                                                                            • Instruction ID: 0de3003ecd1080d536727b2eba2c9cef16119ee337f999ba354426e6829684c6
                                                                                            • Opcode Fuzzy Hash: c87b51215917fe438d0c0ddf141f27f461baa289580907d63a7a87f3a0d78ea4
                                                                                            • Instruction Fuzzy Hash: 3C31A172C0E5958FE701FF38A4961E97770EF02358F0941B7C08D8B0A3EF28A9498A84
                                                                                            Function 00007FF848D90908 Relevance: .1, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b81b444563f9f70d6d1b990298f0f2843a7b37e4368cab719bd60cc8552f960
                                                                                            • Instruction ID: fcd75b5bec6884849f0c806d01487eb8b68ab0858444d16a01c5a4c030922dc0
                                                                                            • Opcode Fuzzy Hash: 2b81b444563f9f70d6d1b990298f0f2843a7b37e4368cab719bd60cc8552f960
                                                                                            • Instruction Fuzzy Hash: 4731987290EAD65FF745BB3CE8A95947B60EF12668F0D01F6C0858F0A3EB18294DC715
                                                                                            Function 00007FF848D95961 Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ae5fee9edf030cd997944f37b6e03d0edda7baa1995385367ad4f2bce6f208d8
                                                                                            • Instruction ID: 2f1837faf2b61a79e553cdac6fe09700aa63cf01aaa7e7054f0dae5902cf294d
                                                                                            • Opcode Fuzzy Hash: ae5fee9edf030cd997944f37b6e03d0edda7baa1995385367ad4f2bce6f208d8
                                                                                            • Instruction Fuzzy Hash: 1D21D831A0EE461EFF48FA28A4439F973D1EF117A4F40017AD44A83587DF19F84A8789
                                                                                            Function 00007FF848D9D9D2 Relevance: .1, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c39bf842dc51fd3f32461f802ee1a5858dd69b555320c47f70351e8d4344be87
                                                                                            • Instruction ID: 30c3896b37d7ff835cab0ebaa97a8e21eb9ae2ce84d6f3bc226de72f22277849
                                                                                            • Opcode Fuzzy Hash: c39bf842dc51fd3f32461f802ee1a5858dd69b555320c47f70351e8d4344be87
                                                                                            • Instruction Fuzzy Hash: 0B31A471E1E64A4FF758FB28841A3A826D1EF553A8F95407AC44AE32C2DF2D684E4385
                                                                                            Function 00007FF848D90918 Relevance: .1, Instructions: 91COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7caece1fcaaa3de8dfaa285f65ffb9311fe10fb30b9985d0c75d9481caab5820
                                                                                            • Instruction ID: 81c1e80022408551fdd79838845b9389a9625dc93f18a8b88534d96d524165ff
                                                                                            • Opcode Fuzzy Hash: 7caece1fcaaa3de8dfaa285f65ffb9311fe10fb30b9985d0c75d9481caab5820
                                                                                            • Instruction Fuzzy Hash: 4E31A77290E9D55FF705BB3CE8A9598BB60EF12668F0D01B6C0858B0A3EB18294D8615
                                                                                            Function 00007FF848D912D7 Relevance: .1, Instructions: 90COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fbd81fb22f965fb77ebd500b3f75b5024a73b7f2b2e67d2e0881fd518dc24628
                                                                                            • Instruction ID: 832361eb4c6bd05bcb627a93b48cf12f4bbb79c21c26645626f1324c5f3d967f
                                                                                            • Opcode Fuzzy Hash: fbd81fb22f965fb77ebd500b3f75b5024a73b7f2b2e67d2e0881fd518dc24628
                                                                                            • Instruction Fuzzy Hash: C621AEB280D5958EEB04FF7CA4965E97760EF02798F0845B6D08D8B063EF28A9498A44
                                                                                            Function 00007FF848D97FA5 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 79db0802d421f06eda5b71dd08382e4c096f965ef422d4c14bf92712da6e1ea1
                                                                                            • Instruction ID: 060321ea0415638bb39b063a2e204b37fab482860935fd591d69eb8859224ee7
                                                                                            • Opcode Fuzzy Hash: 79db0802d421f06eda5b71dd08382e4c096f965ef422d4c14bf92712da6e1ea1
                                                                                            • Instruction Fuzzy Hash: 8A21E020E0EA468FE79ABB288420B7566D2EF85788F0840F6C04DC71D2DF5CAC099769
                                                                                            Function 00007FF848D912FB Relevance: .1, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 32e99aee1ab1aa0127775cb6ad8a9c6b73c0b63abe92321edfbbdfc4a05de123
                                                                                            • Instruction ID: 3ce9b973fb4b3e9490dd2e958084a215ae4d88da0592fbc54152360aa464421b
                                                                                            • Opcode Fuzzy Hash: 32e99aee1ab1aa0127775cb6ad8a9c6b73c0b63abe92321edfbbdfc4a05de123
                                                                                            • Instruction Fuzzy Hash: 1F21A0B280D5958FE700FF7CA4965E97760EF06358F0841B7D08D8B063EF28B9898A44
                                                                                            Function 00007FF848D9B654 Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0c1b946630d889f33e514a858332eed09d3cdd9ccdcd7acbb96c5257c99b0668
                                                                                            • Instruction ID: fcdfb43591c9f3037a5bfc35951d2ae8c52ac0f9af42de6a2ef645a805f24b9b
                                                                                            • Opcode Fuzzy Hash: 0c1b946630d889f33e514a858332eed09d3cdd9ccdcd7acbb96c5257c99b0668
                                                                                            • Instruction Fuzzy Hash: 22110832A0E26A4EE70DF658E8163F83781DF81269F04007ED05EC7493DB1A741F8259
                                                                                            Function 00007FF848D925C0 Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b77e624d568015e0e8ddf32644869e0a1d3f5baccdc9a297026888a4e678f072
                                                                                            • Instruction ID: 6381ce44fdaa11cd6136d50b51bcc197d3b668a5ee8ed7d80c95904185b726b9
                                                                                            • Opcode Fuzzy Hash: b77e624d568015e0e8ddf32644869e0a1d3f5baccdc9a297026888a4e678f072
                                                                                            • Instruction Fuzzy Hash: 0B117F71B09A8A8FE788EE18D855AB933E1FF68744F1404BDC45EC7292CF25AC06CB40
                                                                                            Function 00007FF848D95F7D Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: feb0c76f403b0ebd9443e5f8474422c328d1b9a71845cbd30c9ad0169f8e7f97
                                                                                            • Instruction ID: 2239dd69b4e4bdc825b190f219a70f41d33bd7b04a416d07848aab0c01e397ee
                                                                                            • Opcode Fuzzy Hash: feb0c76f403b0ebd9443e5f8474422c328d1b9a71845cbd30c9ad0169f8e7f97
                                                                                            • Instruction Fuzzy Hash: F111AF71D0DB498FEB85AF6858A56A83FB0FF55348F0501EAD04DD3192DF349809CB15
                                                                                            Function 00007FF848D9280C Relevance: .1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8f920d54567a6023d06ddf68d9b18f43b5ef146dff108147656c813587926515
                                                                                            • Instruction ID: 1503dfa26268b9c6e9c6ac26ca034580abb670ffc9dabb72f818374b81c1276e
                                                                                            • Opcode Fuzzy Hash: 8f920d54567a6023d06ddf68d9b18f43b5ef146dff108147656c813587926515
                                                                                            • Instruction Fuzzy Hash: 0F118E30A0D94A8FEB88EF288440B6577A1FF68794F0440B8C44ECB287CF39EC498781
                                                                                            Function 00007FF848D94E59 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 888ab354d374bc13b2aa81683370cf8093046a43d1cc529196e0c06a5e0ba963
                                                                                            • Instruction ID: a5c7eca50c45db3d97f40db63153cfd1ab96dc1d7b68689f2e5f60c4415889e1
                                                                                            • Opcode Fuzzy Hash: 888ab354d374bc13b2aa81683370cf8093046a43d1cc529196e0c06a5e0ba963
                                                                                            • Instruction Fuzzy Hash: 54110225D0EA470EF769B22D84A137566E2EF80284F0980BAC04DC31D3DF6C9CC98315
                                                                                            Function 00007FF848D92875 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 49e4a307b2fb640b4e0c8a9bb5cd4231400a7361a71464a3c056f83415529986
                                                                                            • Instruction ID: e568e13e4201f947d8b5229997dbeb59f9e5f53efcf841b8636bd9ce8e2a9ecc
                                                                                            • Opcode Fuzzy Hash: 49e4a307b2fb640b4e0c8a9bb5cd4231400a7361a71464a3c056f83415529986
                                                                                            • Instruction Fuzzy Hash: 2A116070A199894FDB88EF288454B6577A1FF68754F0440A8C44ECB287DF39EC498781
                                                                                            Function 00007FF848D9DB4D Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c76f4086e3baf349ca4e2426a0ed2de3adf9428eb2071a6ff7ed40009c31d818
                                                                                            • Instruction ID: 633d37c98430665d7abfb5a71cc1dae219c937eafa4e87d96843b6df96f3cc3d
                                                                                            • Opcode Fuzzy Hash: c76f4086e3baf349ca4e2426a0ed2de3adf9428eb2071a6ff7ed40009c31d818
                                                                                            • Instruction Fuzzy Hash: 6511E67191A9599FDBE8EB28D898F9873F1FF28740F4001E5D40DD7262CE38AD808B00
                                                                                            Function 00007FF848D9CF18 Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9467030d1e6d61769ef92c3a1ee9a40423a44bf2da80ddce6cfa26a48d5bc694
                                                                                            • Instruction ID: 6db5f330c94ef9576555c9dc88746de089c18963a01f3ab3d8d1507a48699052
                                                                                            • Opcode Fuzzy Hash: 9467030d1e6d61769ef92c3a1ee9a40423a44bf2da80ddce6cfa26a48d5bc694
                                                                                            • Instruction Fuzzy Hash: 8A11917090EA9C8FDB55EB24CC686A57BB0FB95345F0401EAC449D3292DF382949CB56
                                                                                            Function 00007FF848D94B00 Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eb40adb094233f3a1b7720e34458679ddc4e3327547a71587eaaaebc65f814f0
                                                                                            • Instruction ID: 8e2c1aa9b43b61a48b10f9709161db396a5b49565c30969b373ff2eeaab1840f
                                                                                            • Opcode Fuzzy Hash: eb40adb094233f3a1b7720e34458679ddc4e3327547a71587eaaaebc65f814f0
                                                                                            • Instruction Fuzzy Hash: 1D01C431A0DD084FDAD4EA2CE45877577D2EBD8369F54017ED80CC32A5DB26A884C740
                                                                                            Function 00007FF848D90970 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0aa93e443e3475b91c2eeac0b6aca7ed870f1c3aa4fb5450536fd2f46553bf78
                                                                                            • Instruction ID: 0da9ef0dd22ab496bd23943e0f2782a1574ed4ad1238651252af877d8952e6cf
                                                                                            • Opcode Fuzzy Hash: 0aa93e443e3475b91c2eeac0b6aca7ed870f1c3aa4fb5450536fd2f46553bf78
                                                                                            • Instruction Fuzzy Hash: F711A37280EAD54FF306BA39D8A95547F60EF13664F0901EAC0858F0A3EA28694DC716
                                                                                            Function 00007FF848D94AE5 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c87e747e5e4d66cf407e81502938d8a0f0c435427dc4bed8a0b37dcd7cbc914f
                                                                                            • Instruction ID: 4d0c07e5221e8537ef3c2b1255c5219a6a7ee2292131e7a37118f5aa012fd35e
                                                                                            • Opcode Fuzzy Hash: c87e747e5e4d66cf407e81502938d8a0f0c435427dc4bed8a0b37dcd7cbc914f
                                                                                            • Instruction Fuzzy Hash: 6501F531A0DB840FD7C5E63898682B17FE1EF96229F0801FBD848C72A3DB145845C305
                                                                                            Function 00007FF848D9C4CD Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ea5fec42d01fafb441c955108212e835a2066728df16e667535bed7f4cd8222
                                                                                            • Instruction ID: 07f42d02cf0faa639251cff7632082174e09dd52307078e3a652722ed8533afd
                                                                                            • Opcode Fuzzy Hash: 7ea5fec42d01fafb441c955108212e835a2066728df16e667535bed7f4cd8222
                                                                                            • Instruction Fuzzy Hash: 44F09021B1E90D5FE288F66CA49E37C32D2FBA8295B10057AC40DC32AADE28AC454361
                                                                                            Function 00007FF848D9682C Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 25eb6bd7b966481663c0b118319b113397fbab1118f1e6b28e85733721f2c625
                                                                                            • Instruction ID: f5d64ad4974aec0479c2099b12284d1afc4f8d3fdaf12aee1cd06ac49518eaad
                                                                                            • Opcode Fuzzy Hash: 25eb6bd7b966481663c0b118319b113397fbab1118f1e6b28e85733721f2c625
                                                                                            • Instruction Fuzzy Hash: 87014F70A0F5175DFED8BA1564A17B812D1AF55399F84007CDC4E8B1C7DF2CA80D8329
                                                                                            Function 00007FF848D9DDE0 Relevance: .0, Instructions: 40COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cfd2f60f3992e1d2cf66d67dafda2406c785edc2f9642e8a7f092f80596014ca
                                                                                            • Instruction ID: 2cc3191804ff00b0d5850d982668dcc3eef7d54a9a27d729aec7923dccf4bf63
                                                                                            • Opcode Fuzzy Hash: cfd2f60f3992e1d2cf66d67dafda2406c785edc2f9642e8a7f092f80596014ca
                                                                                            • Instruction Fuzzy Hash: A6E09BB114E50C6EA61CAA55AC079F7379CE747134F00111FE18E85002F152B52382A5
                                                                                            Function 00007FF848D9DC4E Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8fc24ce696ade6d0aa81493f17c4d2c9e26d02164a21f1113663cb32e9923725
                                                                                            • Instruction ID: 4e0e35a9d0e7e51d1dcd60ef0dc2831387cccfbe126ed21614c92b4df755e488
                                                                                            • Opcode Fuzzy Hash: 8fc24ce696ade6d0aa81493f17c4d2c9e26d02164a21f1113663cb32e9923725
                                                                                            • Instruction Fuzzy Hash: 96F0C471D1992E8EDBA4EA28D8997E8B3A1EB98345F5001FAC10DD3255DF346AC58B00
                                                                                            Function 00007FF848D909A0 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be7c4840961b220d9c4c4a5bffaf937dbcc2efdd2cc4f05e1b34f4cad828436e
                                                                                            • Instruction ID: c4ca0525f0537ccc12da179aca3534acdedd7b08ce821f1e076dfe5f5e267e27
                                                                                            • Opcode Fuzzy Hash: be7c4840961b220d9c4c4a5bffaf937dbcc2efdd2cc4f05e1b34f4cad828436e
                                                                                            • Instruction Fuzzy Hash: 83F06D6290F6C54FE346BB3898695A47F60EF13264B0D01FBD089CB0B3EA18594CC716
                                                                                            Function 00007FF848D943F9 Relevance: .0, Instructions: 34COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6fdecb614e982e659df5220b97cc06c5724fdd393a895a259ffa59893b12c989
                                                                                            • Instruction ID: 8dd80187b7a5f8938f2058e59a4e804e5a4b2cc92dfdc672d4f6f06e7c098ebd
                                                                                            • Opcode Fuzzy Hash: 6fdecb614e982e659df5220b97cc06c5724fdd393a895a259ffa59893b12c989
                                                                                            • Instruction Fuzzy Hash: 15F08C3190D7C94FE719AB34886A2A97BA2FF45244F5800BAE408C7193EF6899088781
                                                                                            Function 00007FF848D93A89 Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 873d59d918b46e853761748c62b748c17edd47014bd95e3bb3d24de9d8712cb9
                                                                                            • Instruction ID: badd342d90284f9fd933ce3a25b154f60ebbbd8feb64b47ec048729cdae93ecf
                                                                                            • Opcode Fuzzy Hash: 873d59d918b46e853761748c62b748c17edd47014bd95e3bb3d24de9d8712cb9
                                                                                            • Instruction Fuzzy Hash: A9F0653580DA9C9FCB46EB78E4558E57F70EF16325B0501C7E049CF062E7219A59CBC2
                                                                                            Function 00007FF848D980F6 Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8d5ccb04936b38795d8e99a73f2739bce317899942acba4625d0862513ca9d73
                                                                                            • Instruction ID: b239542bc97745d2da41d50755d4c7d35c2f3a2da6c11712daa752dae0bea618
                                                                                            • Opcode Fuzzy Hash: 8d5ccb04936b38795d8e99a73f2739bce317899942acba4625d0862513ca9d73
                                                                                            • Instruction Fuzzy Hash: C1F0E961E1EAC64FE7A8DE7C2490A646781EF58B84F1400BEC04DC728BEE186C094745
                                                                                            Function 00007FF848D909B0 Relevance: .0, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 872b7fef1ef6691745608d565d431a8b10d2a0706c42afc528083394d19a4860
                                                                                            • Instruction ID: 9b51440a412bf0cb6cb14ed845e5a505c810bb9bc23322b263f35c065314ee5e
                                                                                            • Opcode Fuzzy Hash: 872b7fef1ef6691745608d565d431a8b10d2a0706c42afc528083394d19a4860
                                                                                            • Instruction Fuzzy Hash: 3DF01C6190F7C54FE757B63498785A47F60AF13254B0D01EBD489CB1B3EA18594CC726
                                                                                            Function 00007FF848D94E70 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a8fccf46f040bbf5c545d64a7305fc701c00df2ecd38062ff500f2f28dd2663
                                                                                            • Instruction ID: 792855b01f5776bc64d2a3a57746f84048afee7ca24fe4445c88161a245ea8d3
                                                                                            • Opcode Fuzzy Hash: 7a8fccf46f040bbf5c545d64a7305fc701c00df2ecd38062ff500f2f28dd2663
                                                                                            • Instruction Fuzzy Hash: D7E0C22A94FA030AFB6C7139B8923BAA0C28F44384F49807AD41DC20C6DF9C9CC4816A
                                                                                            Function 00007FF848D9C069 Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0c1e5a6896fce4eaacfcfe43d07a31f96276818ab5c104b8c28bc2e29ea4a72e
                                                                                            • Instruction ID: c0475b15ac399fc2ba847b7972124c8c30336daf37389babf2da0feb1c3adc71
                                                                                            • Opcode Fuzzy Hash: 0c1e5a6896fce4eaacfcfe43d07a31f96276818ab5c104b8c28bc2e29ea4a72e
                                                                                            • Instruction Fuzzy Hash: 11E0127151DA494FE784EB1CD496EAAF7D0FB9839CF400A7EE08DD2250DB69D9808706
                                                                                            Function 00007FF848D9C4AD Relevance: .0, Instructions: 13COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e122d968d6c8f6c9fadad1faee29953e6a9a3836a554ff98ec31578b56db7398
                                                                                            • Instruction ID: 9c0d908df6e655501a9aada73956bf588ad39d511d695006301f572069197e0a
                                                                                            • Opcode Fuzzy Hash: e122d968d6c8f6c9fadad1faee29953e6a9a3836a554ff98ec31578b56db7398
                                                                                            • Instruction Fuzzy Hash: CBC012B2A1A9075FE149B63C000A3B481D1FB44184F500074C00DD3292FF1954128105
                                                                                            Function 00007FF848D92914 Relevance: .0, Instructions: 8COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1a0ce64e7bb0b6cf2d2a83308223c33fad149cbb7e5e409e1cf76f611570199f
                                                                                            • Instruction ID: 8ce618dc94ab0b9c9489f1dea1185ec0eee6c87766686aa7714ecd9ab310cafe
                                                                                            • Opcode Fuzzy Hash: 1a0ce64e7bb0b6cf2d2a83308223c33fad149cbb7e5e409e1cf76f611570199f
                                                                                            • Instruction Fuzzy Hash: D4C09B10E1E5464EF144FF25544627D11526F88684F944435D41D86186CF7C6601566E

                                                                                            Non-executed Functions

                                                                                            Function 00007FF848D98F28 Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (MH$XJH$hJH$xMH
                                                                                            • API String ID: 0-3527033306
                                                                                            • Opcode ID: 02c8a481df13fb9ce35b013328aedc388f4434bf061707f5eda780a9d821faab
                                                                                            • Instruction ID: f75be581028b454ba0810f1fc8577e5ba1de784eee9537e52224fb153b7a7cce
                                                                                            • Opcode Fuzzy Hash: 02c8a481df13fb9ce35b013328aedc388f4434bf061707f5eda780a9d821faab
                                                                                            • Instruction Fuzzy Hash: 2AD1FA52C0F6D66FF3566A7868162B96F50EF12A98F0801FBC08C4B1DBEF58590A8349
                                                                                            Function 00007FF848D98EF8 Relevance: 5.3, Strings: 4, Instructions: 288COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (MH$XJH$hJH$xMH
                                                                                            • API String ID: 0-3527033306
                                                                                            • Opcode ID: d11d0b414f0605ff9fae1cb08599da6bf927de7f01004a9cec81d820670d217e
                                                                                            • Instruction ID: 73ed445aebc913cb1d3bd28b28c41307579a1aa45f10eb106f841ac8ba7f2b2d
                                                                                            • Opcode Fuzzy Hash: d11d0b414f0605ff9fae1cb08599da6bf927de7f01004a9cec81d820670d217e
                                                                                            • Instruction Fuzzy Hash: 0F91A653D0F6D25FF3126A7C68152B96F90EF12AA8F0D01FBC09C4B19BEF08594D9249
                                                                                            Function 00007FF848D98F08 Relevance: 5.3, Strings: 4, Instructions: 281COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (MH$XJH$hJH$xMH
                                                                                            • API String ID: 0-3527033306
                                                                                            • Opcode ID: 5f3a061f99e6ac1b94aed170b24d3156976e6649f2542fd94187e381a78c68d7
                                                                                            • Instruction ID: ec058f02b51cbf10210296283df43dc8847abba6d1e6e3bdf5321b34c6827654
                                                                                            • Opcode Fuzzy Hash: 5f3a061f99e6ac1b94aed170b24d3156976e6649f2542fd94187e381a78c68d7
                                                                                            • Instruction Fuzzy Hash: C191A652D0F6D25FF3126A7C68166B96F90EF12AA8F0D01FBC09C4B1DBEF08594D9249
                                                                                            Function 00007FF848D98F18 Relevance: 5.3, Strings: 4, Instructions: 276COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000009.00000002.3932655446.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_9_2_7ff848d90000_ScreenConnect.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (MH$XJH$hJH$xMH
                                                                                            • API String ID: 0-3527033306
                                                                                            • Opcode ID: 92efe40e8df78b5655ee68d0972443f78c948e499c20d98d5f031203c237865e
                                                                                            • Instruction ID: 5d5079f9e55f234c4ce480f6ab3b5030a208171057bc466135679899788cefc4
                                                                                            • Opcode Fuzzy Hash: 92efe40e8df78b5655ee68d0972443f78c948e499c20d98d5f031203c237865e
                                                                                            • Instruction Fuzzy Hash: 6491A653D0F6D25FF3126A7C68162B96F90EF12AA8F0D01FBC09C4B1DBEB08594D9249