Windows Analysis Report
invoice-benefits-agency9-24-2024.exe

Overview

General Information

Sample name: invoice-benefits-agency9-24-2024.exe
Analysis ID: 1523872
MD5: 00cd8ce405a29bad77e5caec894b44a0
SHA1: 016154e4ea41864e8c4b689c9f7ac7cceda5c7db
SHA256: ec0f1ec3f107b3559c97f1db4f9a1ae04481f2893c20b2e071f855309d7cc8ed
Tags: exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 32
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Initial sample is a PE file and has a suspicious name
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: invoice-benefits-agency9-24-2024.exe ReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 87.6% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04060F08 CryptProtectData, 8_2_04060F08
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_040616F0 CryptProtectData, 8_2_040616F0
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05DA0674 CryptUnprotectData, 8_2_05DA0674
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05DA2EA9 CryptUnprotectData, 8_2_05DA2EA9
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05DA066D CryptUnprotectData, 8_2_05DA066D
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe EXE: msiexec.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe EXE: msiexec.exe Jump to behavior
Uses 32bit PE files
Source: invoice-benefits-agency9-24-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: invoice-benefits-agency9-24-2024.exe Static PE information: certificate valid
Source: invoice-benefits-agency9-24-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1452789959.0000000002682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1401316749.0000000000CD2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2607687774.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2593006992.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453273212.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1452583861.0000000002530000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453076491.00000000026C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1388670525.0000000000A8D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1365745532.00000000049C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363549444.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1363549444.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: invoice-benefits-agency9-24-2024.exe, MSI29CB.tmp.3.dr, 5d26de.msi.3.dr, MSI299C.tmp.3.dr, setup.msi.0.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2607687774.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1401316749.0000000000CD2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: invoice-benefits-agency9-24-2024.exe, MSI22D5.tmp.2.dr, 5d26de.msi.3.dr, setup.msi.0.dr, 5d26dc.msi.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1452789959.0000000002682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2607687774.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: invoice-benefits-agency9-24-2024.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
Enables network access during safeboot for specific services
Source: C:\Windows\System32\msiexec.exe Registry value created: NULL Service Jump to behavior
Uses dynamic DNS services
Source: unknown DNS query: name: mmf351.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.11:49703 -> 79.110.49.16:8041
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OTAVANET-ASCZ OTAVANET-ASCZ
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mmf351.ddns.net
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2594997092.0000000001CFD000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453273212.00000000026F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000005.00000003.1363549444.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363773395.00000000049C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363549444.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000005.00000003.1363549444.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363773395.00000000049C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363549444.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000005.00000003.1363549444.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363773395.00000000049C3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363549444.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr String found in binary or memory: http://wixtoolset.org/releases/
Source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453273212.00000000027DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://choicebenefitsagency.com
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2594997092.0000000001E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://choicebenefitsagency.comLR_q
Source: ScreenConnect.WindowsCredentialProvider.dll.3.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Reads the System eventlog
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: invoice-benefits-agency9-24-2024.exe
Contains functionality to launch a process as a different user
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_050E0040 CreateProcessAsUserW, 8_2_050E0040
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5d26dc.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{5432CC63-8BF4-F791-1B1A-15E2F80B3217} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI299C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI29CB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2E03.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5d26de.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5d26de.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5432CC63-8BF4-F791-1B1A-15E2F80B3217} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5432CC63-8BF4-F791-1B1A-15E2F80B3217}\DefaultIcon Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\Installer\wix{5432CC63-8BF4-F791-1B1A-15E2F80B3217}.SchedServiceConfig.rmi Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (e6cb77284cf765aa) Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (e6cb77284cf765aa)\c3g3oimb.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (e6cb77284cf765aa)\c3g3oimb.newcfg Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI29CB.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05EFF0D0 0_2_05EFF0D0
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05EF6F20 0_2_05EF6F20
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05EF60E0 0_2_05EF60E0
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05EF6F10 0_2_05EF6F10
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05F1039B 0_2_05F1039B
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_0107D5A8 8_2_0107D5A8
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04A38038 8_2_04A38038
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04A3B9C0 8_2_04A3B9C0
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04A3E358 8_2_04A3E358
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04A3E358 8_2_04A3E358
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04A3B9C0 8_2_04A3B9C0
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C69FF 9_2_00007FFE7D0C69FF
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFE7CDB1128 10_2_00007FFE7CDB1128
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFE7D0C6BCF 10_2_00007FFE7D0C6BCF
PE file contains executable resources (Code or Archives)
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Sample file is different than original file name gathered from version info
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1363745360.0000000005A80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1364607378.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamelibwebp.dllB vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1364607378.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamezlib.dll2 vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1364607378.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1364531689.0000000005CA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1366628403.000000000615C000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1366628403.000000000615C000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSfxCA.dllL vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1366628403.000000000615C000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamewixca.dll\ vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1366628403.000000000615C000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1369712697.00000000084BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewixca.dll\ vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1361943123.00000000046DD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1364509957.0000000005C90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.0000000000F46000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.0000000000F46000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibwebp.dllB vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.0000000000F46000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamezlib.dll2 vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.0000000000F46000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.0000000000F46000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.000000000146F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.000000000146F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenamelibwebp.dllB vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenamezlib.dll2 vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenameSfxCA.dllL vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenamewixca.dll\ vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs invoice-benefits-agency9-24-2024.exe
Uses 32bit PE files
Source: invoice-benefits-agency9-24-2024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5cc0000.3.raw.unpack, WindowsToolkit.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.invoice-benefits-agency9-24-2024.exe.f463d8.3.raw.unpack, CursorBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: classification engine Classification label: mal48.troj.evad.winEXE@17/56@1/1
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa) Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice-benefits-agency9-24-2024.exe.log Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe File created: C:\Users\user\AppData\Local\Temp\ScreenConnect Jump to behavior
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: invoice-benefits-agency9-24-2024.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI22D5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6103906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: invoice-benefits-agency9-24-2024.exe ReversingLabs: Detection: 18%
Source: invoice-benefits-agency9-24-2024.exe String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: invoice-benefits-agency9-24-2024.exe String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe File read: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe "C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe"
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BC344CC8D534C153146082E5C0B08418 C
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI22D5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6103906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8260A170A10C2A63DD060DA2E17AE0B9
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC3C4A72C16F999398D301E804ECE99B E Global\MSI0000
Source: unknown Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mmf351.ddns.net&p=8041&s=64aa4158-b0dc-4cfb-a3e6-dfec05b77827&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&t=invoice&c=choicebenefitsagency&c=https%3a%2f%2fchoicebenefitsagency.com&c=choicebenefitsagency&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "b39d397f-880b-4274-a788-d5e0ae46124e" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "2a312dd1-915e-4a70-b7fc-6da8f9a2cf4a" "System"
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BC344CC8D534C153146082E5C0B08418 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8260A170A10C2A63DD060DA2E17AE0B9 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC3C4A72C16F999398D301E804ECE99B E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI22D5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6103906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "b39d397f-880b-4274-a788-d5e0ae46124e" "User" Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "2a312dd1-915e-4a70-b7fc-6da8f9a2cf4a" "System" Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: invoice-benefits-agency9-24-2024.exe Static PE information: certificate valid
Source: invoice-benefits-agency9-24-2024.exe Static file information: File size 5622904 > 1048576
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
Source: invoice-benefits-agency9-24-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: invoice-benefits-agency9-24-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: invoice-benefits-agency9-24-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: invoice-benefits-agency9-24-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: invoice-benefits-agency9-24-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: invoice-benefits-agency9-24-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: invoice-benefits-agency9-24-2024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: invoice-benefits-agency9-24-2024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1452789959.0000000002682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1401316749.0000000000CD2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2607687774.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2593006992.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453273212.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1452583861.0000000002530000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453076491.00000000026C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: invoice-benefits-agency9-24-2024.exe
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1388670525.0000000000A8D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1365745532.00000000049C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1363549444.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1363549444.0000000004ACE000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: invoice-benefits-agency9-24-2024.exe, MSI29CB.tmp.3.dr, 5d26de.msi.3.dr, MSI299C.tmp.3.dr, setup.msi.0.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2607687774.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1401316749.0000000000CD2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: invoice-benefits-agency9-24-2024.exe, MSI22D5.tmp.2.dr, 5d26de.msi.3.dr, setup.msi.0.dr, 5d26dc.msi.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: invoice-benefits-agency9-24-2024.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1452789959.0000000002682000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2607687774.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1459561536.0000000012700000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: invoice-benefits-agency9-24-2024.exe
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: invoice-benefits-agency9-24-2024.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5c90000.1.raw.unpack, Program.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.0.invoice-benefits-agency9-24-2024.exe.14778f8.5.raw.unpack, Program.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
PE file contains an invalid checksum
Source: invoice-benefits-agency9-24-2024.exe Static PE information: real checksum: 0x54fd91 should be: 0x564969
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_034C6F00 push eax; mov dword ptr [esp], ecx 0_2_034C6F11
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05EF53E8 push eax; retf 0_2_05EF54D9
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05F12F58 push eax; mov dword ptr [esp], edx 0_2_05F12F6C
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Code function: 0_2_05F11A91 push eax; mov dword ptr [esp], ecx 0_2_05F11AA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_3_04C25C78 push ebx; retf 5_3_04C25C87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_3_04C25E70 push esi; retf 5_3_04C25E7F
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04A3CE60 push eax; mov dword ptr [esp], ecx 8_2_04A3CE61
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_04A3A890 push eax; mov dword ptr [esp], ecx 8_2_04A3A891
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDDD0CC push es; retf 9_2_00007FFE7CDDD0CE
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDDD088 push es; retf 9_2_00007FFE7CDDD08A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDDBDED push es; retf 9_2_00007FFE7CDDBDEE
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDDCD99 push es; retf 9_2_00007FFE7CDDCD9B
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDD494C push ebx; retf 9_2_00007FFE7CDD494D
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDDD2E8 push es; retf 9_2_00007FFE7CDDD2EA
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDDD2CE push esp; iretd 9_2_00007FFE7CDDD2CF
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7CDDBEBD push es; retf 9_2_00007FFE7CDDBEBE
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C7569 push ebx; iretd 9_2_00007FFE7D0C756A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C7D84 push ss; iretd 9_2_00007FFE7D0C7D85
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C79B3 push cs; retf 9_2_00007FFE7D0C79B5
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C21A2 push 00000044h; iretd 9_2_00007FFE7D0C21A4
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C55D5 push ebp; iretd 9_2_00007FFE7D0C55D8
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C7C7C push cs; retf 9_2_00007FFE7D0C7C7E
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C709F push cs; retf 9_2_00007FFE7D0C70A0
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C1922 push FFFFFF9Fh; iretd 9_2_00007FFE7D0C1924
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C73BF push cs; retf 9_2_00007FFE7D0C73C0
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C7A4B push cs; retf 9_2_00007FFE7D0C7A4D
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C5F16 push cs; retf 9_2_00007FFE7D0C5F17
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFE7D0C2F3C pushfd ; iretd 9_2_00007FFE7D0C2F3D
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFE7CDB00BD pushad ; iretd 10_2_00007FFE7CDB00C1
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFE7D0C994B push cs; retf 10_2_00007FFE7D0C9958
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFE7D0C9990 push cs; retf 10_2_00007FFE7D0C999D

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log Jump to behavior
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsAuthenticationPackage.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.InstallerActions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2E03.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI29CB.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.Compression.Cab.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsCredentialProvider.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.Compression.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2E03.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI29CB.tmp Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: ScreenConnect.ClientService.dll.3.dr Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Creates or modifies windows services
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application Jump to behavior
Modifies existing windows services
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (e6cb77284cf765aa) Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000002.1364607378.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: invoice-benefits-agency9-24-2024.exe, 00000000.00000000.1337072168.0000000000F46000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rundll32.exe, 00000005.00000003.1363549444.0000000004B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2593006992.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453273212.00000000026F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1452583861.0000000002530000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1453076491.00000000026C2000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1463574573.000000001B5E2000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: invoice-benefits-agency9-24-2024.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.5.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.3.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.3.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 3480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 3520000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 5520000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 6DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 64D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 7DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 8DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 6DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: 9080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: A080000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Memory allocated: 1070000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Memory allocated: 1AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Memory allocated: 3AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: 1590000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: 1AFF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: 24F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: 1A6F0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsAuthenticationPackage.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.InstallerActions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2E03.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI29CB.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.Compression.Cab.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsCredentialProvider.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.Compression.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe TID: 7560 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe TID: 8008 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe TID: 8172 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 5d26dc.msi.3.dr Binary or memory string: VMCi-
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2613414732.00000000041A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5cc0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5cc0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5cc0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5cc0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5cc0000.3.raw.unpack, WindowsExtensions.cs Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
Source: 0.2.invoice-benefits-agency9-24-2024.exe.5c90000.1.raw.unpack, Program.cs Reference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.clientservice.exe" "?e=access&y=guest&h=mmf351.ddns.net&p=8041&s=64aa4158-b0dc-4cfb-a3e6-dfec05b77827&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&t=invoice&c=choicebenefitsagency&c=https%3a%2f%2fchoicebenefitsagency.com&c=choicebenefitsagency&c=&c=&c=&c=&c="
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1401316749.0000000000CD2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1401316749.0000000000CD2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI22D5.tmp-\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_050E054C CreateNamedPipeW, 8_2_050E054C
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_01074D2E RtlGetVersion, 8_2_01074D2E
Source: C:\Users\user\Desktop\invoice-benefits-agency9-24-2024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies security policies related information
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages Jump to behavior
Yara detected ScreenConnect Tool
Source: Yara match File source: invoice-benefits-agency9-24-2024.exe, type: SAMPLE
Source: Yara match File source: 0.2.invoice-benefits-agency9-24-2024.exe.5fa0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.ScreenConnect.WindowsClient.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ScreenConnect.WindowsClient.exe.306fa20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ScreenConnect.WindowsClient.exe.276fa60.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.invoice-benefits-agency9-24-2024.exe.5fa0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.invoice-benefits-agency9-24-2024.exe.ff5db8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.invoice-benefits-agency9-24-2024.exe.fcc3d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.invoice-benefits-agency9-24-2024.exe.f463d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.invoice-benefits-agency9-24-2024.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1366628403.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2593006992.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.1401316749.0000000000CD2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1453273212.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1357879683.0000000003521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1337072168.0000000000F46000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: invoice-benefits-agency9-24-2024.exe PID: 7540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 8024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 8152, type: MEMORYSTR
Source: Yara match File source: C:\Config.Msi\5d26dd.rbs, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSI299C.tmp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523872 Sample: invoice-benefits-agency9-24... Startdate: 02/10/2024 Architecture: WINDOWS Score: 48 55 mmf351.ddns.net 2->55 61 Multi AV Scanner detection for submitted file 2->61 63 .NET source code contains potential unpacker 2->63 65 .NET source code references suspicious native API functions 2->65 69 4 other signatures 2->69 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 invoice-benefits-agency9-24-2024.exe 5 2->15         started        signatures3 67 Uses dynamic DNS services 55->67 process4 dnsIp5 35 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->35 dropped 37 C:\...\ScreenConnect.ClientService.exe, PE32 8->37 dropped 39 C:\...\ScreenConnect.WindowsClient.exe.config, XML 8->39 dropped 43 10 other files (none is malicious) 8->43 dropped 75 Enables network access during safeboot for specific services 8->75 77 Modifies security policies related information 8->77 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        57 mmf351.ddns.net 79.110.49.16, 49703, 8041 OTAVANET-ASCZ Germany 12->57 79 Reads the Security eventlog 12->79 81 Reads the System eventlog 12->81 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        41 invoice-benefits-agency9-24-2024.exe.log, ASCII 15->41 dropped 83 Contains functionality to hide user accounts 15->83 28 msiexec.exe 6 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 11 17->31         started        71 Creates files in the system32 config directory 23->71 73 Contains functionality to hide user accounts 23->73 45 C:\Users\user\AppData\Local\...\MSI22D5.tmp, PE32 28->45 dropped signatures10 process11 file12 47 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->47 dropped 49 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->49 dropped 51 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->51 dropped 53 4 other files (none is malicious) 31->53 dropped 59 Contains functionality to hide user accounts 31->59 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.110.49.16
 mmf351.ddns.net Germany
57287 OTAVANET-ASCZ true

Contacted Domains

Name IP Active
mmf351.ddns.net 79.110.49.16 true